I am using Splunk DB Connect 1.1.6 to connect to a SQL database. The dbquery
using select * from databasename
works fine and I can see all fields with the correct values.
My next step is to create a data input using a database input. Everything looks to work fine, but I realize the parsing is not correct. Splunk is not bringing in all the fields.... I am now sending the data to a lookup table, and then from that table, indexing, but I am curious why and how I can fix this issue.
I don't understand why you would do that instead of using a regular database input? dbquery into a collect introduces a bunch of needless complexity around timestamp detection that could be root of your problem.
Maybe I was not clear, I am using dbconnect but the parsing on SQL dbs does not work as expected when sending the data to a index. I need historical data so I have to send somewhere. Indexing does not work so I have to send to a lookup first and then from the lookup to the index it works fine. Connection to oracle are OK and I can collect data daily with dbconnect and send directly to the index. Maybe dbconnect 2 fixed this issue.
DB Connect 2 is easier to use, but it's impossible to tell what your issue is without looking at data and SQL statements. You're probably better off opening a support case than posting on a forum.
I don't know other way to connect to a database. This was recommended by a Splunk engineer to download the apps and the use it to connect. Any link to your suggestion would help me. Thanks
Hi @aervillar
Are you using DB Connect 1 or DB Connect 2?
I gues version 1.1.6 (from about link)
Thanks for getting back. I was editing your post to improve visibility of your issue, but needed to know the correct version to tag the official app appropriately.