Splunk Enterprise

DB connect not sending data

Strangertinz
Path Finder

Hi Splunk Community, 

I am having issues with Splunk DB Connect 3.18.0 not sending data. 

I was able to connect the db connect app to the database and query properly but no luck seeing the data from splunk cloud. I am able to send other logs and data to Splunk cloud with no issues. 

Thanks!

Labels (1)
0 Karma

Strangertinz
Path Finder

Thanks @gcusello for getting back to me!

Yes I configured DB connect fully, everything works but the actual data not being sent

I tried both batch and rising input types with no luck getting data sent. 

Yes, I ingested a sample log file and it showed up successfully on Splunk Cloud. 

Yes, I used the same index i ingested the sample file to. 

Please let me know if there are other things I can check to resolve this issue. 

Is there any known issue with this splunk DB connect version?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Strangertinz ,

check again the results in the rising column field: usually the issue is there.

You have results executing the SQL query in DB-Connect, but it extracts only the records with the risong column values gretaer than the checkpoint, but if the rising column isn't correct or there are duplicated values you risk to lose records.

Ciao.

Giuseppe

0 Karma

Strangertinz
Path Finder

Hi @gcusello 

I will check again. I also used batched results and still did not see any data. This is why I am not narrowing my focus on the rising column but I will evaluate further and ensure there are no errors with the rising column. 


Thanks!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Strangertinz ,

ok, let me know if I can help you further.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

OK. I assume you're talking about a DBConnect app installed on a HF in your on-prem environment, right?

If you're getting other logs from that HF (_internal, some other inputs), that means that the HF is sending the data. It's the dbconnect input that's not pulling the data properly from the source database. (the dbconnect doesn't "send" anything on its own; it just gets the data from the source and lets Splunk handle it like any other input). So check your _internal for anything related to that input.

0 Karma

Strangertinz
Path Finder

Hi @PickleRick,

 

That is indeed the set up I have. 

That is correct there isnt a issue with connection between the HF and Splunk Cloud but rather my results from the DBconnect app not sending to Splunk Cloud. 

I am more so looking to see if anyone else has faced this issue before because I have checked several things and all looks well but no real solution to get the data transferred 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Strangertinz ,

a stupid question: have you configured the input in DB-Connect or did you only tested the connection?

did you checked the ckeckpont based on the rising column? in other words, are you sure that you have values where the rising column value has a greater value than the previous?

are you sure that you're receiving logs on Splunk Cloud from the same server where DB-Connect is located?

did you checked the index used in the inputs.conf?

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...