Splunk Enterprise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

DBConnect Query Failing After Upgrade

sarge338
Path Finder
‎12-30-2024 08:40 AM

I have a DBConnect query that runs to populate the panel of a dashboard every week.  We upgraded both the database which houses the data AND Splunk a couple of weeks ago.  The new database is Postgres 14 and Spunk is not at 9.2.3.  I have run this query directly on the Postgres box, so it appears that Postgres doesn't suddenly have an issue with it.

Other panels/queries in this dashboard use the same DBConnect connection, so the path, structure, and data all appear to be good.  The issue seems to lie with the "math" in the time range, but I cannot put my finger on why.  Basically, we are trying to pull a trend of data going back 8 weeks, starting from last week.

query=" SELECT datekey, policydisposition, count(guid) as events
FROM event_cdr
WHERE datekey >= CURRENT_DATE - CAST(EXTRACT(DOW FROM CURRENT_DATE) as int) - (7*8) AND
               datekey < CURRENT_DATE - CAST(EXTRACT(DOW FROM CURRENT_DATE) as int) AND
direction_flag = 1 AND
policydisposition = 1
GROUP BY
    datekey, policydisposition
ORDER BY
   datekey, policydisposition


When I try to execute this query, I consistently get the following error:
"Error in 'dbxquery' command: External search command exited unexpectedly.

The search job has failed due to an error. You may be able view the job in the Job Inspector"


Some of the search.log file is here:

"12-30-2024 16:00:27.142 INFO PreviewExecutor [3835565 StatusEnforcerThread] - Preview Enforcing initialization done
12-30-2024 16:00:28.144 INFO ReducePhaseExecutor [3835565 StatusEnforcerThread] - ReducePhaseExecutor=1 action=PREVIEW
12-30-2024 16:02:27.196 ERROR ChunkedExternProcessor [3835572 phase_1] - EOF while attempting to read transport header read_size=0
12-30-2024 16:02:27.197 ERROR ChunkedExternProcessor [3835572 phase_1] - Error in 'dbxquery' command: External search command exited unexpectedly.
12-30-2024 16:02:27.197 WARN ReducePhaseExecutor [3835572 phase_1] - Not downloading remote search.log and telemetry files. Reason: No remote_event_providers.csv file.
12-30-2024 16:02:27.197 INFO ReducePhaseExecutor [3835572 phase_1] - Ending phase_1
12-30-2024 16:02:27.197 INFO UserManager [3835572 phase_1] - Unwound user context: User338 -> NULL
12-30-2024 16:02:27.197 ERROR SearchOrchestrator [3835544 searchOrchestrator] - Phase_1 failed due to : Error in 'dbxquery' command: External search command exited unexpectedly.
12-30-2024 16:02:27.197 INFO ReducePhaseExecutor [3835565 StatusEnforcerThread] - ReducePhaseExecutor=1 action=QUIT
12-30-2024 16:02:27.197 INFO DispatchExecutor [3835565 StatusEnforcerThread] - Search applied action=QUIT while status=GROUND
12-30-2024 16:02:27.197 INFO SearchStatusEnforcer [3835565 StatusEnforcerThread] - sid=1735574426.75524, newState=FAILED, message=Error in 'dbxquery' command: External search command exited unexpectedly.
12-30-2024 16:02:27.197 ERROR SearchStatusEnforcer [3835565 StatusEnforcerThread] - SearchMessage orig_component=SearchStatusEnforcer sid=1735574426.75524 message_key= message=Error in 'dbxquery' command: External search command exited unexpectedly.
12-30-2024 16:02:27.197 INFO SearchStatusEnforcer [3835565 StatusEnforcerThread] - State changed to FAILED: Error in 'dbxquery' command: External search command exited unexpectedly.
12-30-2024 16:02:27.201 INFO UserManager [3835565 StatusEnforcerThread] - Unwound user context: User338 -> NULL
12-30-2024 16:02:27.202 INFO DispatchManager [3835544 searchOrchestrator] - DispatchManager::dispatchHasFinished(id='1735574426.75524', username='User338')
12-30-2024 16:02:27.202 INFO UserManager [3835544 searchOrchestrator] - Unwound user context: User338 -> NULL
12-30-2024 16:02:27.202 INFO SearchOrchestrator [3835541 RunDispatch] - SearchOrchestrator is destructed. sid=1735574426.75524, eval_only=0
12-30-2024 16:02:27.203 INFO SearchStatusEnforcer [3835541 RunDispatch] - SearchStatusEnforcer is already terminated
12-30-2024 16:02:27.203 INFO UserManager [3835541 RunDispatch] - Unwound user context: User338 -> NULL
12-30-2024 16:02:27.203 INFO LookupDataProvider [3835541 RunDispatch] - Clearing out lookup shared provider map
12-30-2024 16:02:27.206 ERROR dispatchRunner [600422 MainThread] - RunDispatch has failed: sid=1735574426.75524, exit=-1, error=Error in 'dbxquery' command: External search command exited unexpectedly.
12-30-2024 16:02:27.213 INFO UserManagerPro [600422 MainThread] - Load authentication: forcing roles="db_connect_admin, db_connect_user, slc_user, user""

Labels (1)
Labels
0 Karma
Reply

sarge338
Path Finder
‎12-30-2024 02:47 PM

Some additional information that was somehow omitted from my original post....

If I change date range part of the query from "(7 * 8)" to just "7".  The query runs fine.  If I change "(7 * 8)" to "(7 * 1)", the query runs fine.  If I change "(7 * 8)" to "(7 * 2)"... or any number greater than 2... the query fails with the same error as mentioned in the original post.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | How many sides does a circle have?

  March 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

New This Month - Splunk Observability updates and improvements for faster ...

What’s New? This month, we’re delivering several enhancements across Splunk Observability Cloud for faster and ...

What's New in Splunk Cloud Platform 9.3.2411?

Hey Splunky People! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2411. This release ...
Top