Splunk Search

DB Connect Tail Command not updating


I am using a tail db command to pull events from a Oracle database every hour. I was able to pull in all of the data the first time it ran but I haven't received any new events. When I looked at the log file I'm receiving the following error message:

2013-06-21 10:48:53.060 dbx5648:INFO:DatabaseInfoCommand - Fetching tables for database=DB_Audit
2013-06-21 10:49:31.963 dbx9326:INFO:DatabaseInfoCommand - Fetching schemas for database=DB_Audit
2013-06-21 10:49:33.123 dbx4360:INFO:DatabaseInfoCommand - Fetching tables for database=DB_Audit
2013-06-21 11:21:22.312 monsch1:ERROR:Scheduler - Error while reading stanza=[dbmon-tail://DB_Audit/DB_Audit_Tail]: com.splunk.config.SplunkConfigurationException: No output.format defined for stanza dbmon-tail://DB_Audit/DB_Audit_Tail
2013-06-21 11:23:16.671 dbx7573:INFO:DatabaseInfoCommand - Fetching schemas for database=DB_Audit
2013-06-21 11:23:18.714 dbx179:INFO:DatabaseInfoCommand - Fetching tables for database=DB_Audit
2013-06-21 11:30:16.066 dbx5726:INFO:DatabaseInfoCommand - Fetching schemas for database=DB_Audit
2013-06-21 11:30:17.237 dbx373:INFO:DatabaseInfoCommand - Fetching tables for database=DB_Audit

Any idea what this error is?


Tags (1)
0 Karma

Super Champion

You may need an output.timestamp.parse.format
This is from an old post: http://splunk-base.splunk.com/answers/71485/splunk-db-connect-timestamp-not-working

"The output.timestamp.parse.format is detailed in the DBX documentation, but there is no way to set it from the user interface. Once the timestamp was converted to text and both format filters were set to match the output, everything seemed to start working correctly."

Output.timestamp.parse.format is explained here: http://docs.splunk.com/Documentation/DBX/1.0.11/DeployDBX/inputsspec

You also need to watch out for conflicting input.conf files.

0 Karma


I'm having the same problem as "Knewter". The difference is that I'm trying to read data from MS-SQL. We also tried without the SQL-query, no output-timestamp and different output.formats, all with the same result. The output of "splunk cmd btool inputs list dbmon-tail shows that all settings in the stanza's are read by Splunk correctly.



Environment=Server 2008 R2 Enterprise

Error-message in "dbx.log"

2013-07-09 10:46:12.200 monsch1:ERROR:Scheduler - Error while reading stanza=[dbmon-tail://xxxxxxx/xxxxxxx]: com.splunk.config.SplunkConfigurationException: No output.format defined for stanza dbmon-tail://xxxxxxx/xxxxxxx



disabled = 0


crcSalt =

disabled = 0

move_policy = sinkhole

sourcetype = dbmon:spool


host = xxxxxxx

index = owa

interval = 300

output.format = kv

output.timestamp = 1

output.timestamp.column = logtime

query = select dbo.xxxxxxx(ClientIP), ClientUserName,logtime,uri from dbo.xxxxxxxxxxxx where ClientUserName
like '%LDAP%' and UrlDestHost LIKE '%mxs%'

sourcetype = OWA

tail.rising.column = logtime

table = dbo.xxxxxxxxxxxx

output.timestamp.format = yyyy-MM-dd HH:mm:ss.SSS

0 Karma


The error suggests that there is no output.format in your database input stanza in inputs.conf. This setting is mandatory - you could try to update the input using the UI once and see if that resolves the problem.

0 Karma


I ran the btool command earlier and it shows the output.format in there.
/opt/splunk/etc/apps/dbx/local/inputs.conf output.format = kv
/opt/splunk/etc/apps/dbx/local/inputs.conf output.timestamp = 1
/opt/splunk/etc/apps/dbx/local/inputs.conf output.timestamp.column = created_on
/opt/splunk/etc/apps/dbx/local/inputs.conf output.timestamp.format = MM/dd/yyyy HH:mm:ss.SSS
It's like Splunk doesn't see those lines. The strange thing is it was working a few days ago.

0 Karma


What result do you get when you run the following command (assuming the splunk binary is in $PATH):

splunk cmd btool inputs list dbmon-tail://DB_Audit/DB_Audit_Tail --debug
0 Karma


I've restarted splunk but I'm still receiving the errors.

0 Karma


That shouldn't be necessary. You can try to restart Splunk in order to force DB Connect to reload the config.

0 Karma


Strange when I look at the inputs.conf file it's there. Should I just re-save the config file ?

0 Karma
Get Updates on the Splunk Community!

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...