Re: Splunk DB Connect - Cannot Delete Data Lab -> ...

cbwillh · ‎09-30-2020

I have a Splunk Enterprise Heavy Forwarder which is forwarding SQL Audit Logs by way of the Splunk DB Connect App.

my version of Splunk DB Connect is 3.2.0

(I know this is not the latest version but I am using version 3.2.0 because as soon as we upgrade to 3.4.0 DB Connect breaks completely and won't display anything it the UI).

I am having an issue where I am unable to delete an input which is a clone of another input and not required any more.

the input I want to delete is disabled but the issue happens whether the input is in an enabled or a disabled state.

to delete the input I login to my heavy forwarders Splunk Web Interface

next I select the Splunk DB Connect App from the Apps List on the left

next I select the Data Lab TAB

next I select the inputs option then I click the delete option next to the input I want to delete

I am prompted with the "Are you sure to delete this input?" message and I select OK

at that point I get an error message at the top of the page with the following message:

Splunkd error: HTTP 404 -- Action forbidden.

my input remains and I am unable to delete it.

I am an admin and I am also a DB Connect Admin so I have permissions to do whatever I want on this box.

I have looked through the splunk_app_db_connect folder in the hope of finding the .conf file where the inputs configurations are stored so that I could manually remove them there. unfortunately I am unable to figure out where these Data Lab -> Inputs are being stored

I am hoping that someone on here has a deeper understanding of DB Connect and can help me figure out how I can delete my old inputs from DB Connect either by finding the cause of the error and resolving it so it can be done via the GUI or by helping me with finding a way to delete the inputs manually via the file system for the app.

ericlarsen · ‎05-14-2021

Did you resolve this issue? I'm experiencing the exact same thing.

cbwillh · ‎05-14-2021

Yes I did figure it out in the end but nobody responded to my issue on here so hence why the solution was not posted.

This is how I manually deleted my Data Lab Inputs from DB Connect

File to edit to manually delete DB Connect Inputs if deleting in GUI fails with error

SPLUNK_HOME/etc/apps/search/local/db_inputs.conf

NOTE: SPLUNK_HOME = Splunk Home Directory in my case I have a windows Splunk Enterprise server so my full path was C:\Program Files\Splunk\etc\apps\search\local

To manually remove a DB Connect input edit the file above

Highlight and delete all related entries for the DB Connect input

Example: in my file there was a Test DB so to delete that DB remove the title line and the 6 lines referencing settings for the DB that are immediately below the Title line. See Below

[test]
coldPath = $SPLUNK_DB\test\colddb
enableDataIntegrityControl = 0
enableTsidxReduction = 0
homePath = $SPLUNK_DB\test\db
maxTotalDataSizeMB = 10240
thawedPath = $SPLUNK_DB\test\thaweddb

Save the file
Restart Splunk

Confirm in the GUI Console that the Inputs are no longer there

NOTE: the file above is how I resolved the issue in my environment but just in case the databases are not listed in that file the file below is another location where the DB Connect App Databases are shown so potentially they could be removed there as well.

C:\Program Files\Splunk\etc\apps\splunk_app_db_connect\local\db_inputs.conf

Splunk DB Connect - Cannot Delete Data Lab -> inputs

troubleshooting

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes