Hi,
I'm trying to get the DB tables as input into Splunk by using Add DB Inputs in Splunk Manager,
I'm able to index the Data from my table into Splunk when i don't mention the query(the Splunk creates its own query)
But when i mention the query such as this
SELECT * FROM TABLE_NAME {{WHERE ROWNUM <= 30}} I'm unable to index the data into Splunk.
This is very important for me as my tables are very large in size so i can't index them completely i need a Where Condition for this
Any Help is Appreciated,
Thanks.
I think you want something like
SELECT * FROM TABLE_NAME WHERE ROWNUM <= 30 {{AND $rising_column$ > ?}}
Or if you are not doing "Tail"
SELECT * FROM TABLE_NAME WHERE ROWNUM <= 30
The stuff in the brackets will not be run the first time, so putting {{ where rownum <= 30 }} will exclude this from the first run.
i can't do it now my manager wants to check it now,I will do it on Monday.
ah yes, then definitely dbmon:mkv, Is it working?
I have attributes with VARCHAR2(4000 BYTE) & CLOB data-type.
delete index, re-create, disable db input, clone db input, change to dbmon:mkv
multiple lines in a field.
If i edit the inputs.conf now will it make any difference or should i delete it & re-index it again.
I have multiple lines in my tables,There are 18 attributes in my table.
do you have fields in your database with multiple lines? If so you will need to use dbmon:mkv
If i use DB-Query the data is displayed in the form of tables very clean & crisp,but after indexing its pouring all the data at once without any space.
for example?
the records are indexed into Splunk I'm able to Search them but they are not displayed in proper format as they are displayed when DB-Query is used.
the sourcetype is dbmon:kv
Did you get this working?
http://docs.splunk.com/Documentation/DBX/latest/DeployDBX/Configuredatabasemonitoring
7. Specify a data Sourcetype.
The following formats are associated with the sourcetypes:
Key-Value format with dbmon:kv sourcetype
Multi-line Key-Value format with dbmon:mkv sourcetype
Template with dbmon:tpl sourcetype
CSV format with CSV sourcetype
Note: If you leave the Sourcetype field blank, the pre-defined sourcetype associated with the format is used.
what is your sourcetype? dbmon:kv?
Thank you its indexing now,but its displaying in the form of paragraph's the field i selected in the settings page for Output Format = Key-Value Format
to copy your current input, it will run the query initially once again without the {{ AND $rising_column$ > ?}}
okay i will try that now,What is the clone button for.?
That's the issue, you literally need to put {{ AND $rising_column$ > ?}} instead of {{AND CREATED_DT > ?}}
This is the Query By means of which I'm trying to index data into SPlunk
SELECT * FROM Table_NM WHERE TRUNC(CREATED_DT) BETWEEN to_date('04-03-2014','mm/dd/yyyy')
AND to_date('04-03-2014','mm/dd/yyyy')AND ROWNUM<=100
{{AND CREATED_DT > ?}}
ORDER BY CREATED_DT ASC
When i tried this query in DB_Query I'm getting results
SELECT * FROM Table_NM WHERE TRUNC(CREATED_DT) BETWEEN to_date('04-03-2014','mm/dd/yyyy') AND to_date('04-03-2014','mm/dd/yyyy') AND ROWNUM <= 100