Hi All,
I have a problem about splunk DB Connect App (Splunk Enterprise 7.2.3 - DB Connect 3.1.4) with my MySQL instance.
The MYSQL query return events and it's all right, rising column is ok, no error, but after I save the input, the events are not indexed:
2019-01-11 10:12:13.855 +0100 [QuartzScheduler_Worker-8] ERROR org.easybatch.core.job.BatchJob - Unable to write records
java.io.IOException: HTTP Error 400, HEC response body: {"text":"Error in handling indexed fields","code":15,"invalid-event-number":0}, trace: HttpResponseProxy{HTTP/1.1 400 Bad Request [Date: Fri, 11 Jan 2019 09:12:13 GMT, Content-Type: application/json; charset=UTF-8, X-Content-Type-Options: nosniff, Content-Length: 78, Vary: Authorization, Connection: Keep-Alive, X-Frame-Options: SAMEORIGIN, Server: Splunkd] ResponseEntityProxy{[Content-Type: application/json; charset=UTF-8,Content-Length: 78,Chunked: false]}}
at com.splunk.dbx.server.dbinput.recordwriter.HttpEventCollector.uploadEventBatch(HttpEventCollector.java:132)
at com.splunk.dbx.server.dbinput.recordwriter.HttpEventCollector.uploadEvents(HttpEventCollector.java:96)
at com.splunk.dbx.server.dbinput.recordwriter.HecEventWriter.writeRecords(HecEventWriter.java:36)
at org.easybatch.core.job.BatchJob.writeBatch(BatchJob.java:203)
at org.easybatch.core.job.BatchJob.call(BatchJob.java:79)
at org.easybatch.extensions.quartz.Job.execute(Job.java:59)
at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)
2019-01-11 10:12:13.855 +0100 [QuartzScheduler_Worker-8] INFO org.easybatch.core.job.BatchJob - Job 'test_bcc013' finished with status: FAILED
The column of table are very simple and small like a integer id or char name.
Someone can help me please?
Http Event Collector expects to receive dates in format:
timestamp.microsecondes
Splunk DB connect transforms dates in this format via Java. If the default locale takes the comma as the decimal separator, the problems start ...
To solve this problem :
In Splunk DB Connect > Configuration> Settings> General, add the option in JVM Options:
-Duser.language=en
Save, java server restarts.
,
This solved my problem, in my case it was the correct solution. Thanks!
Hey guys!
What about Windows environment?
Wich settings must we use?
Thanks!
Did you encountered problem on Windows?
By default I advise you to install the last version of Splunk Enteprise and DB Connect.
Let us know if you're having problems.
Regards,
Antonio
Hi!
Yes! I got errors like this (Unable to write records) on Windows and versions 3.1.4 or 3.1.3
I solved this by downgrading to 3.1.1
I saw in the post below and confirmed through internal logs that time field from HEC payload has a comma and not a dot like in documentation. Maybe it be a bug ?
https://answers.splunk.com/answers/640570/why-are-dbconnect-3-inputs-unable-to-write-records.html
As I mention before, I thought that it was related with the new version, not sure if only DB Connect (3.1.4) or also because of Splunk Enterprise (7.2.3).
I solved it downgrading Splunk Enterprise to 7.2.1 and uninstalling DB Connect, then I installed 3.1.2 version and made new connections and identities in DB Connect. Don't copy them from 3.1.4, you have make new ones from beginning, otherwise it will not work.
I hope it helps you.
Álvaro.
Thank you Alvaro!
Did you solve it?
Yes I solved it but I did not try with downgrade.
I keep your suggestion as another way to solve the problem.
Thanks,
Antonio
Did you update the DB Connect to 3.1.4 version?
I had to reinstall it and stopped working after it...
No, DB Connect version 3.1.4 was first installation, but I keep mind yor suggestion.
Thanks,
Antonio
I resolve the problem tuning the env variable of OS (my LANG/LC_ALL was in IT) :
LANG=en_US.UTF-8
LC_ALL=en_US.UTF-8
After server reboot, this one has resolved my problem.
Splunk Enterprise: 7.2.3
DB Connect: 3.1.4
OS Centos: 7.x
DB: MySQL 5.x
Regards,
Antonio