Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk DB Connect - Cannot Delete Data Lab -> inputs

cbwillh
Path Finder
‎09-30-2020 02:40 PM

I have a Splunk Enterprise Heavy Forwarder which is forwarding SQL Audit Logs by way of the Splunk DB Connect App.

my version of Splunk DB Connect is 3.2.0

(I know this is not the latest version but I am using version 3.2.0 because as soon as we upgrade to 3.4.0 DB Connect breaks completely and won't display anything it the UI).

I am having an issue where I am unable to delete an input which is a clone of another input and not required any more.

the input I want to delete is disabled but the issue happens whether the input is in an enabled or a disabled state.

to delete the input I login to my heavy forwarders Splunk Web Interface

next I select the Splunk DB Connect App from the Apps List on the left

next I select the Data Lab TAB

next I select the inputs option then I click the delete option next to the input I want to delete

I am prompted with the "Are you sure to delete this input?" message and I select OK

at that point I get an error message at the top of the page with the following message:

Splunkd error: HTTP 404 -- Action forbidden.

my input remains and I am unable to delete it.

 

I am an admin and I am also a DB Connect Admin so I have permissions to do whatever I want on this box.

I have looked through the splunk_app_db_connect folder in the hope of finding the .conf file where the inputs configurations are stored so that I could manually remove them there. unfortunately I am unable to figure out where these Data Lab -> Inputs are being stored

I am hoping that someone on here has a deeper understanding of DB Connect and can help me figure out how I can delete my old inputs from DB Connect either by finding the cause of the error and resolving it so it can be done via the GUI or by helping me with finding a way to delete the inputs manually via the file system for the app.

 

Labels (1)
Labels
0 Karma
Reply

smichalski
Explorer
‎07-17-2024 03:06 AM

My apologies for bringing that old topic up again, but it's the only one about the error message and I stumbled across it while investigating on the same issue (different app version, but not the latest, so it might be fixed).

In summary, I could trace the problem back to local.meta, which listed a user as object owner whose Splunk account had been removed. Solution was to either re-assign the object to a valid user, or remove the owner entry (= assigns it to nobody).

0 Karma
Reply

DanielPi
Moderator
Moderator
‎07-17-2024 05:05 AM

Hi @smichalski ,

I’m a Community Moderator in the Splunk Community.

This question was posted 4 years ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post.

Thank you! 

0 Karma
Reply

ericlarsen
Path Finder
‎05-14-2021 06:50 AM

Did you resolve this issue?  I'm experiencing the exact same thing.

0 Karma
Reply

cbwillh
Path Finder
‎05-14-2021 07:45 AM

Yes I did figure it out in the end but nobody responded to my issue on here so hence why the solution was not posted.

This is how I manually deleted my Data Lab Inputs from DB Connect

File to edit to manually delete DB Connect Inputs if deleting in GUI fails with error

SPLUNK_HOME/etc/apps/search/local/db_inputs.conf

NOTE: SPLUNK_HOME = Splunk Home Directory in my case I have a windows Splunk Enterprise server so my full path was C:\Program Files\Splunk\etc\apps\search\local

To manually remove a DB Connect input edit the file above

Highlight and delete all related entries for the DB Connect input

Example: in my file there was a Test DB so to delete that DB remove the title line and the 6 lines referencing settings for the DB that are immediately below the Title line. See Below

[test]
coldPath = $SPLUNK_DB\test\colddb
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $SPLUNK_DB\test\db
maxTotalDataSizeMB = 10240
thawedPath = $SPLUNK_DB\test\thaweddb


Save the file
Restart Splunk


Confirm in the GUI Console that the Inputs are no longer there

 

NOTE: the file above is how I resolved the issue in my environment but just in case the databases are not listed in that file the file below is another location where the DB Connect App Databases are shown so potentially they could be removed there as well.

C:\Program Files\Splunk\etc\apps\splunk_app_db_connect\local\db_inputs.conf

Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...