Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

In what format should the rising_column be?

joshua_hart
Explorer
‎06-18-2013 06:41 AM

I'm using DB Connect to extract McAfee ePO events from a MS SQL database and I'm using an auto-increment field as the rising_column field to tail the database. When I do that, I receive the following DB Connect error:

2013-06-18 08:43:14.456 dbx9419:ERROR:TailDatabaseMonitor - Error while executing database monitor: java.sql.SQLException: Invalid column name 'event_id'.
java.sql.SQLException: Invalid column name 'event_id'.
at net.sourceforge.jtds.jdbc.SQLDiagnostic.addDiagnostic(SQLDiagnostic.java:372)
at net.sourceforge.jtds.jdbc.TdsCore.tdsErrorToken(TdsCore.java:2820)
at net.sourceforge.jtds.jdbc.TdsCore.nextToken(TdsCore.java:2258)
at net.sourceforge.jtds.jdbc.TdsCore.getMoreResults(TdsCore.java:632)
at net.sourceforge.jtds.jdbc.JtdsStatement.executeSQLQuery(JtdsStatement.java:477)
at net.sourceforge.jtds.jdbc.JtdsPreparedStatement.executeQuery(JtdsPreparedStatement.java:776)
at com.splunk.dbx.sql.Database.query(Database.java:203)
at com.splunk.dbx.monitor.impl.TailDatabaseMonitor.performMonitoring(TailDatabaseMonitor.java:113)
at com.splunk.dbx.monitor.DatabaseMonitorExecutor.executeMonitor(DatabaseMonitorExecutor.java:126)
at com.splunk.dbx.monitor.DatabaseMonitorExecutor.call(DatabaseMonitorExecutor.java:102)
at com.splunk.dbx.monitor.DatabaseMonitorExecutor.call(DatabaseMonitorExecutor.java:37)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
at java.util.concurrent.FutureTask.run(FutureTask.java:166)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
at java.util.concurrent.FutureTask.run(FutureTask.java:166)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
at java.util.concurrent.FutureTask.run(FutureTask.java:166)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
at java.lang.Thread.run(Thread.java:679)

The event_id column is an alias of the EPOEvents.AutoID column, but when I use any of the following: [EPOEvents].[AutoID], EPOEvents.AutoID, [AutoID], AutoID, [EPOEvents].[event_id], or [event_id], the error reports that the field is not part of the resulting record set.

What is the format for specifying the rising_column field? Thanks!

-Josh

0 Karma
Reply

leppalaa
Engager
‎04-16-2014 01:18 AM

Hello,

Just in case you or someone else is still struggling with this:

The problem seems to be in the renaming of the event_id / EPOEvents.AutoID column.

I had the same problem and found a solution by wrapping the custom SQL select into another outer select and then using the event_id as the rising_column. This way, the correct "column" name (event_id) exists in the original data set and the resulting data set.

I did it like this, you can modify any part if needed. This works for me at least:

SELECT * FROM (

.... the query string from TA_mcafee comes here ...

) as outer_table
{{WHERE $rising_column$ > ?}}

I also needed to disable one of the columns that try to write to the login_user field in the mcafee query, because otherwise the outer SELECT would fail (two inputs for the same field name, login_user). You can see this problem by looking at the mcafee SQL query. I disabled the select row by commenting out the SourceUserName column from the SQL statement, like this:
--[EPOEvents].[SourceUserName] as [logon_user],

This seems to do the trick for me at least.

Reply

steven87vt
New Member
‎07-11-2013 08:11 AM

did you ever get a solution working? I have the exact same issue.

0 Karma
Reply

joshua_hart
Explorer
‎06-20-2013 05:05 AM

I'm using a custom SQL query taken from the TA-mcaffee package. The query is found in the mcafee_epo.py.pymssql file. Instead of the top 10000 rows, I'm selecting all rows using the {{WHERE $rising_column$ > ?}} statement.

0 Karma
Reply

asimagu
Builder
‎06-19-2013 09:21 PM

it needs to be an increasing number

0 Karma
Reply

asimagu
Builder
‎06-20-2013 07:40 PM

Sorry, did not get what you were asking right. Maybe you can do a simple query to test that alias, Select only AutoID from the table and use it as a rising_column. If that works, try to make it more complex bit by bit

0 Karma
Reply

joshua_hart
Explorer
‎06-20-2013 05:02 AM

Right. What I wondering, is how should I format the field name that I define as my rising_column? The field I'm using is an increasing number, but I always get one of the following errors regardless of how I format the field name: "Field name not found in result set" or "Invalid column name"

0 Karma
Reply

ziegfried
Influencer
‎06-18-2013 10:36 AM

Please provide more info about the settings you chose for the database input. Are you using a custom query?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...