Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

DB Connect 3.1.4 - Unable to write records - Error in handling indexed fields

aagro
Path Finder
‎01-11-2019 01:25 AM

Hi All,
I have a problem about splunk DB Connect App (Splunk Enterprise 7.2.3 - DB Connect 3.1.4) with my MySQL instance.
The MYSQL query return events and it's all right, rising column is ok, no error, but after I save the input, the events are not indexed:

2019-01-11 10:12:13.855 +0100 [QuartzScheduler_Worker-8] ERROR org.easybatch.core.job.BatchJob - Unable to write records
java.io.IOException: HTTP Error 400, HEC response body: {"text":"Error in handling indexed fields","code":15,"invalid-event-number":0}, trace: HttpResponseProxy{HTTP/1.1 400 Bad Request [Date: Fri, 11 Jan 2019 09:12:13 GMT, Content-Type: application/json; charset=UTF-8, X-Content-Type-Options: nosniff, Content-Length: 78, Vary: Authorization, Connection: Keep-Alive, X-Frame-Options: SAMEORIGIN, Server: Splunkd] ResponseEntityProxy{[Content-Type: application/json; charset=UTF-8,Content-Length: 78,Chunked: false]}}
at com.splunk.dbx.server.dbinput.recordwriter.HttpEventCollector.uploadEventBatch(HttpEventCollector.java:132)
at com.splunk.dbx.server.dbinput.recordwriter.HttpEventCollector.uploadEvents(HttpEventCollector.java:96)
at com.splunk.dbx.server.dbinput.recordwriter.HecEventWriter.writeRecords(HecEventWriter.java:36)
at org.easybatch.core.job.BatchJob.writeBatch(BatchJob.java:203)
at org.easybatch.core.job.BatchJob.call(BatchJob.java:79)
at org.easybatch.extensions.quartz.Job.execute(Job.java:59)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
2019-01-11 10:12:13.855 +0100 [QuartzScheduler_Worker-8] INFO org.easybatch.core.job.BatchJob - Job 'test_bcc013' finished with status: FAILED

The column of table are very simple and small like a integer id or char name.

Someone can help me please?

Tags (1)
0 Karma
Reply

thomasroulet
Path Finder
‎04-09-2019 05:01 AM

Http Event Collector expects to receive dates in format:

timestamp.microsecondes

Splunk DB connect transforms dates in this format via Java. If the default locale takes the comma as the decimal separator, the problems start ...

To solve this problem :

In Splunk DB Connect > Configuration> Settings> General, add the option in JVM Options:

-Duser.language=en

Save, java server restarts.

,

Reply

skramp
SplunkTrust
SplunkTrust
‎04-18-2019 12:32 AM

This solved my problem, in my case it was the correct solution. Thanks!

0 Karma
Reply

chlima
Explorer
‎02-25-2019 08:32 AM

Hey guys!

What about Windows environment?

Wich settings must we use?

Thanks!

0 Karma
Reply

aagro
Path Finder
‎02-26-2019 01:52 AM

Did you encountered problem on Windows?

By default I advise you to install the last version of Splunk Enteprise and DB Connect.

Let us know if you're having problems.

Regards,
Antonio

0 Karma
Reply

chlima
Explorer
‎02-27-2019 04:50 AM

Hi!

Yes! I got errors like this (Unable to write records) on Windows and versions 3.1.4 or 3.1.3

I solved this by downgrading to 3.1.1

I saw in the post below and confirmed through internal logs that time field from HEC payload has a comma and not a dot like in documentation. Maybe it be a bug ?

https://answers.splunk.com/answers/640570/why-are-dbconnect-3-inputs-unable-to-write-records.html

0 Karma
Reply

apascualcrespo
New Member
‎01-17-2019 03:58 AM

As I mention before, I thought that it was related with the new version, not sure if only DB Connect (3.1.4) or also because of Splunk Enterprise (7.2.3).
I solved it downgrading Splunk Enterprise to 7.2.1 and uninstalling DB Connect, then I installed 3.1.2 version and made new connections and identities in DB Connect. Don't copy them from 3.1.4, you have make new ones from beginning, otherwise it will not work.

I hope it helps you.

Álvaro.

0 Karma
Reply

aagro
Path Finder
‎01-17-2019 06:24 AM

Thank you Alvaro!

0 Karma
Reply

apascualcrespo
New Member
‎01-18-2019 04:31 AM

Did you solve it?

0 Karma
Reply

aagro
Path Finder
‎01-21-2019 06:47 AM

Yes I solved it but I did not try with downgrade.
I keep your suggestion as another way to solve the problem.

Thanks,
Antonio

0 Karma
Reply

apascualcrespo
New Member
‎01-16-2019 09:59 AM

Did you update the DB Connect to 3.1.4 version?
I had to reinstall it and stopped working after it...

0 Karma
Reply

aagro
Path Finder
‎01-17-2019 06:23 AM

No, DB Connect version 3.1.4 was first installation, but I keep mind yor suggestion.

Thanks,
Antonio

0 Karma
Reply

aagro
Path Finder
‎01-11-2019 03:24 AM

I resolve the problem tuning the env variable of OS (my LANG/LC_ALL was in IT) :

LANG=en_US.UTF-8
LC_ALL=en_US.UTF-8

After server reboot, this one has resolved my problem.

Splunk Enterprise: 7.2.3
DB Connect: 3.1.4
OS Centos: 7.x
DB: MySQL 5.x

Regards,
Antonio

0 Karma
Reply
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...