Splunk Search

DB Connect: I don't see any data after adding my database input

abassili
Explorer

I have defined a database input (dump type) with a simple SQL query and a key-value output format. \

The "dbx.log" file shows that the query is running without any problems:

2014-09-19 11:06:08.426 dbx1788:INFO:ExecutionContext - Execution finished in duration=23 ms
2014-09-19 11:06:08.427 monsch2:INFO:Scheduler - Execution of input=[dbmon-dump://DB-SERVER/INPUT_SAMPLE_1] finished in duration=22 ms with resultCount=31 success=true continueMonitoring=true

The Splunk's \spool\dbmon directory has the the right csv_*.dbmonevt files.

Yet I don't see any data when I try to do the search. Even the source type is not there.

Am I missing a step in order for this to work?

Tags (1)
0 Karma

abassili
Explorer

Nothing shows up ...

Even when I try source=dbmon-tail://...., there is nothing there.

Splunk does not even recognize this source or sourcetype.

0 Karma

pradeepkumarg
Influencer

the index that you specified in your database inputs, did you create that index in indexes.conf?

0 Karma

abassili
Explorer

Where can I find that file index.conf?

I have deleted the old database input and created a new one (index = input1).

Here's the the inputs.conf (I have not changed anything there):

Copyright (C) 2005-2014 Splunk Inc. All Rights Reserved.

JBridge Server script

[script://./bin/jbridge_server.py]
index = input1
sourcetype = dbx_jbridge
interval = 0
disabled = false
passAuth = splunk-system-user
[script://.\bin\jbridge_server.py]
index = input1
sourcetype = dbx_jbridge
interval = 0
disabled = false
passAuth = splunk-system-user

Are there any files that I need to add that index to?

This is still not working. I got nothing with the search inddex = "input1"

Thanks a lot for your help. I think I'm getting closer.

0 Karma

pradeepkumarg
Influencer

If you want to create a index as "input1" you have to create it in indexes.conf. More details here
http://docs.splunk.com/Documentation/Splunk/6.1.3/admin/Indexesconf

0 Karma

abassili
Explorer

I am using the deafult index (Splunk Index: index). I suppose that is already defined.

0 Karma

pradeepkumarg
Influencer

I don't think there is any index which is called as 'index', you can try 'main' index or create your own index and then configure dbinputs for that index .

abassili
Explorer

Thanks, I changed the index to main but sill no luck. Do I need to configure the index I create? Where should I do that? I see the "inputs.conf". Is that the one?

0 Karma

pradeepkumarg
Influencer

After you change the index to main, you have to make sure new events are returned for your query. I would suggest creating a new database inputs rather than modifying the existing one.

0 Karma

pradeepkumarg
Influencer

Did you try just with the source filter and see?

source will be your dbmon input like below

source=dbmon-tail://*

0 Karma

dimoobraznii
Path Finder

Sometime you can get problems with license restrictions or can define index by default, if so, you could check main index.
In addition, check Activity->jobs.

0 Karma

abassili
Explorer

Thanks ... I don't see any license alerts or violations and the volume that I have used today is way below the allowed daily volume. I checked "Activity->jobs", but I could not see any jobs there.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!