Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About pmdba
pmdba
Builder
Member since:
05-15-2013
01-06-2026
Community Statistics
| Posts | 140 |
| Solutions | 22 |
| Karma Given | 5 |
| Karma Received | 53 |
| Member Since | 05-15-2013 |
Activity Feed
- Tagged breaking multiple mv fields into single events based on array index on Splunk Search. 01-29-2025 03:14 PM
- Posted breaking multiple mv fields into single events based on array index on Splunk Search. 01-29-2025 03:13 PM
- Tagged breaking multiple mv fields into single events based on array index on Splunk Search. 01-29-2025 03:13 PM
- Tagged breaking multiple mv fields into single events based on array index on Splunk Search. 01-29-2025 03:13 PM
- Posted Export pdf vs schedule pdf delivery custom variables on Reporting. 11-08-2022 10:10 AM
- Got Karma for Re: Excute sql statement on splunk db connect. 08-19-2020 05:09 AM
- Got Karma for Re: Does Splunk DB Connect 2 cause full table scans for every query against Oracle?. 06-05-2020 12:48 AM
- Got Karma for Re: Does Splunk DB Connect 2 cause full table scans for every query against Oracle?. 06-05-2020 12:48 AM
- Karma Re: How can I index login/logout logs from an Oracle database in Splunk? for fdi01. 06-05-2020 12:47 AM
- Karma Re: how to save oracle db query results into a CSV format and use this CSV file to index into SPLUNK to generate dashboards for vganjare. 06-05-2020 12:47 AM
- Got Karma for Re: Splunk DB Connect 2: Is it possible to establish an Oracle DB Connection with a tnsnames.ora entry?. 06-05-2020 12:47 AM
- Got Karma for Re: DBConnect changing the date column value automatically to wrong date. 06-05-2020 12:47 AM
- Got Karma for Re: Splunk DB Connect 2: Is it possible to establish an Oracle DB Connection with a tnsnames.ora entry?. 06-05-2020 12:47 AM
- Got Karma for Re: DBConnect changing the date column value automatically to wrong date. 06-05-2020 12:47 AM
- Got Karma for Re: Is it possible to query a temp table using Splunk DB Connect?. 06-05-2020 12:47 AM
- Got Karma for Re: Can Splunk monitor the response times of Oracle forms and how to do this?. 06-05-2020 12:47 AM
- Got Karma for Re: Splunk DB Connect V1 Database connection release. 06-05-2020 12:47 AM
- Got Karma for Re: How to index Oracle dynamic performance views (v_$transaction, v_$session etc) in Splunk?. 06-05-2020 12:47 AM
- Got Karma for Re: How to index Oracle dynamic performance views (v_$transaction, v_$session etc) in Splunk?. 06-05-2020 12:47 AM
- Got Karma for Re: How to index Oracle dynamic performance views (v_$transaction, v_$session etc) in Splunk?. 06-05-2020 12:47 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 1 | |||
| 1 | |||
| 0 | |||
| 0 |
12-23-2014
03:48 PM
I'm not sure this alert will work. If the only thing that will match up between the Windows event and the database event is terminal ID, then as long as everything is working as intended they will always match. It wouldn't even matter if you matched up with the Windows data or not - as long as Terminal ID is coming from your network, there would be no reason to alert because you have nothing else to check (like Windows username and DB username matching). The problem is that with the right client (i.e. Java JDBC), the TerminalID can be spoofed to be anything. An attacker could make the Terminal ID appear to be something legitimate even if the connection is originating from somewhere else. In such a case, your alert still wouldn't detect anything.
If you want to protect your database from connections originating in unauthorized networks, check out Oracle Connection Manager. It's a free add-on to most Oracle database licenses. There's a paper on how to implement it here. You can then use Splunk to monitor the connection manager logs and send alerts when any connection is rejected. Depending on your version of Oracle and the size of your client network, you might also consider implementing Oracle's Valid Node Checking feature on the listener (explicit client IP addresses might be required).
... View more
11-12-2014
12:28 PM
If you are configuring a dbtail monitor on the table, then yes I believe you will need a unique field - preferably an incrementing numeric ID or a timestamp that Splunk can track and increment for the tail.
If you are running a dbquery search or a dbdump input then you would not need a unique field. dbquery is real time and does not index the data returned in Splunk. dbdump will grab the entire contents of the table every time it runs; you can append a timestamp at that point and need not worry about a unique identifier or incremental field.
... View more
11-04-2014
07:32 AM
1 Karma
A view works just as well as a table for dbtail. My point was that with a view you could insert whatever escape character(s) Splunk needs into your data and possibly preserve the quotes that way. Another possibility is to define a new key/term within Splunk using the "extract fields" functionality.
... View more
11-01-2014
08:56 PM
1 Karma
I would use a view to select your data instead of selecting it directly from the table. The view should use a "replace" function (or the equivalent for your particular database) to substitute some other character for the quotes, or to insert an escape that Splunk will recognize.
... View more
11-01-2014
06:40 AM
I've never done this, but it might be possible to configure a second network listener on the database server and only register it to connect dedicated server sessions (i.e. not register it with the dispatcher).
... View more
11-01-2014
06:28 AM
Unfortunately, Splunk constructs the JDBC Thin connection URL internally based on the username/password/service name parameters provided in the database.conf file. There doesn't appear to be way to provide any other details in the file specification. As such I don't think you can currently provide the sort of detailed connection information you specify above.
It also appears that there is no way to define a shared/dedicated preference on a service name basis on the server side of the connection, so if you can't override the default from the client then you're pretty much stuck with the server's default. Is there a particular reason you need to have a dedicated session instead of a shared one?
... View more
10-30-2014
10:00 PM
Your Splunk search must be producing duplicate results or the database wouldn't complain. Try running the search without the dboutput portion and confirm that the data is what you expect (i.e no primary key violations). If you are getting duplicate results, refine your search to eliminate them and then try the dboutput portion again.
... View more
10-30-2014
04:30 PM
Either the database is not configured to register its SID with the listener, or you are not using the actual SID in your connect string. Do you have access to the database server itself, or the assistance of an Oracle DBA, to confirm what the listener will accept? How you would configure the database and listener will depend on which version of Oracle and what sort of architecture (stand-alone, stand-alone with grid infrastructure, or RAC) that you are using.
In general you are better off using a service name if that is an option; it is Oracle's preferred method for identifying databases over the network. SID, while it still works in most cases, was actually deprecated as a network identifier something like 15 years ago with Oracle 9.
... View more
10-29-2014
05:43 AM
I'd love to, but your support portal won't let me log in, and you don't provide a phone number or other contact info for support anywhere on your web site that I could find. I get the following error trying to access the support portal:
Login Error
Your login attempt using single sign-on with an identity provider certificate has failed. Please contact your salesforce.com administrator for more information.
... View more
10-28-2014
03:33 AM
None of our input stanza have changed; they were all working before OS patches were applied. It isn't just inputs that are failing - no part of the DBX user interface is working. The database browse and ad-hoc query (dbquery command) functions do not work, nor does the Save Settings screen. The Java Bridge server is down. Anything that from DBX that involves a REST call is failing with an HTTP 401 (Not Authorized) error. No database connection is even attempted.
... View more
10-28-2014
03:25 AM
The error is from the REST server itself, no connection to the database is even attempted because the Java Bridge server is not functional.
... View more
10-27-2014
01:12 PM
We're also seeing errors like this in the jbridge.log file:
2014-10-27 11:34:50,576 INFO 127.0.0.1 - username [27/Oct/2014:11:34:50.551 -0400] "GET /en-US/custom/dbx/dbx/status?nocache=1414424090163 HTTP/1.1" 401 1396 "https://splunk/en-US/app/dbx/home" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0" - 544e661a8d7fedec411190 25ms
2014-10-27 11:34:51,771 INFO 127.0.0.1 - username [27/Oct/2014:11:34:51.743 -0400] "GET /en-US/custom/dbx/dbx/status?nocache=1414424091376 HTTP/1.1" 401 1396 "https://splunk/en-US/app/dbx/home" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0" - 544e661bbe7fedf8014610 27ms
2014-10-27 11:34:52,933 INFO 127.0.0.1 - username [27/Oct/2014:11:34:52.907 -0400] "GET /en-US/custom/dbx/dbx/status?nocache=1414424092530 HTTP/1.1" 401 1397 "https://splunk/en-US/app/dbx/home" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:32.0) Gecko/20100101 Firefox/32.0" - 544e661ce87fede8119450 26ms
Again, the "401" error seems to indicate some sort of permissions issue, but nothing has changed that we are aware of...
... View more
10-27-2014
12:59 PM
Java path was the first thing we fixed. The REST server is refusing connections from DBX for some reason that we don't understand.
... View more
10-27-2014
12:58 PM
We tried this too. There is some sort of permissions issue with the REST server now - it is refusing to accept connections from DBX. Don't know why.
... View more
10-27-2014
11:36 AM
1 Karma
Yes, we had already updated the Java Home. Had to do it manually in the java.conf file because DB Connect can't use REST calls from the UI to do anything. Before we updated the Java Home we couldn't even get this far - no Java Bridge server and no errors in the logs at all. Now we at least get these error messages.
... View more
10-27-2014
10:16 AM
We recently patched our operating system (Red Hat Enterprise Linux 6) and the Java JRE path changed. When we updated the java.conf file for DBX and restarted Splunk, we started seeing the following errors in the jbridge.log file:
ERROR Java process returned error code 1! Error: Initializing Splunk context...
Environment: SplunkEnvironment{SPLUNK_HOME=/opt/splunk,SPLUNK_DB=/opt/splunk/var/lib/splunk}
Configuring Log4j...
Exception in thread "main" com.splunk.config.SplunkConfigurationException: IO Error while reading configuration from Splunkd: java.io.IOException: Server returned HTTP response code: 401 for URL: https://127.0.0.1:8089/servicesNS/nobody/-/admin/conf-java?count=10000
at com.splunk.config.rest.RESTAdapter.request(RESTAdapter.java:195)
at com.splunk.config.rest.RESTAdapter.readConfig(RESTAdapter.java:203)
at com.splunk.config.cache.CachedConfigurationAdapter.readConfig(CachedConfigurationAdapter.java:32)
at com.splunk.config.cache.CachedConfigurationAdapter.readStanza(CachedConfigurationAdapter.java:40)
at com.splunk.env.SplunkContext.getConfigStanza(SplunkContext.java:313)
at com.splunk.env.SplunkContext.initialize(SplunkContext.java:128)
at com.splunk.bridge.JavaBridgeServer.main(JavaBridgeServer.java:34)
Caused by: java.io.IOException: Server returned HTTP response code: 401 for URL: https://127.0.0.1:8089/servicesNS/nobody/-/admin/conf-java?count=10000
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:534)
-at sun.net.www.protocol.http.HttpURLConnection$6.run(HttpURLConnection.java:1458)
at java.security.AccessController.doPrivileged(Native Method)
at sun.net.www.protocol.http.HttpURLConnection.getChainedException(HttpURLConnection.java:1452)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1106)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at com.splunk.rest.Response.getContent(Response.java:54)
at com.splunk.rest.Response.readXML(Response.java:62)
at com.splunk.config.rest.RESTAdapter.request(RESTAdapter.java:193) ...
6 more
Caused by: java.io.IOException: Server returned HTTP response code: 401 for URL: https://127.0.0.1:8089/servicesNS/nobody/-/admin/conf-java?count=10000
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1403)
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:397)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338)
at com.splunk.rest.Response.<init>(Response.java:31)
at com.splunk.rest.Splunkd.request(Splunkd.java:213)
at com.splunk.rest.Splunkd.request(Splunkd.java:98)
... 7 more
We're using DB Connect 1.1.4. Does anyone have any idea what could have caused this? Everything was working fine before the OS was patched. Now the Java Bridge server will no longer load, and DB Connect is completely non-functional because it isn't able to communicate with the REST services (HTTP 401 is an "unauthorized" access error).
... View more
10-27-2014
06:28 AM
Username and response time will not appear in raw network data. Username is only transmitted at the time of the initial login and may be encrypted, and response time is calculated locally on the client or as detailed metrics information on the server, but not transmitted over the network. If you are trying to assess database performance, there is much more accurate information available in the v$ dynamic performance views, which you would access through DB Connect using SQL queries, not streams.
... View more
10-25-2014
09:24 PM
I'm not sure a Splunk tool would be necessary. On most operating systems it wouldn't be difficult to create a script to dump the data you want from the database and sftp it to your Splunk host for indexing on a daily basis.
... View more
10-25-2014
09:12 PM
3 Karma
I would suggest creating a view in the database with the column names you want, aliased how you want, and then have Splunk select from the view. This allows you also to keep the most complex part of your code (the view query) in the database where you can modify it easily, and to keep your Splunk DBX input as a basic, no-frills select statement.
... View more
10-25-2014
08:59 PM
1 Karma
Each database would require an individual input in Splunk; I'm not sure what sort of resources would be required on your indexer or if DB Connect has a limit on the number of possible database connections, but I think you were told correctly that it probably isn't a good solution. Sounds more like you need to consolidate your information in a data warehouse database, then configure Splunk to connect to that instead of to each individual database. With properly constructed database views or sql searches in Splunk, you might not even need to put all that data into the Splunk indexes and have it count against your license.
... View more
10-17-2014
08:21 AM
Each query provides a unique set of data, presumably with different fields/columns, so I'm not sure you want to combine multiple queries into a single input. Defining multiple inputs allows you flexibility in scheduling and in determining other parameters like source type and field names.
If you really need to combine output from multiple queries that would have common field names, etc., you could use a UNION type of construct to combine their data sets into a single set for return to Splunk. I'm not sure what the exact Informix syntax would be, but perhaps something like this:
select column_1, column_2 from table_1 where column_1 = x
union
select column_1, column_2 from table_2 where column_2 = y
or like this:
with query_1 as
(select column_1, column_2 from table_1 where column_1 = x
union
select column_1, column_2 from table_2 where column_2 = y)
select column_1, column_2 from query_1
or perhaps combine the queries into a view in the database and select from the view in your input.
... View more
10-16-2014
08:49 AM
1 Karma
There really isn't a mechanism outside of specialized performance monitoring software that would allow you to capture all of the v$session data. If you are concerned about long running queries or commands or something like that, you should be able to execute summary queries or specialized alert queries to look for specific things. Let the database summarize and evaluate the session information and only collect the high level metrics into Splunk. This would allow you to keep the total volume of data down for your Splunk license, too.
e.g. "select to_char(sysdate,'YYYY-MM-DD HH24:MI:SS'), count(*) session_count from v$session where last_call_et > 600 and lower(event) like '%wait'"
... View more
10-16-2014
08:40 AM
I believe each query must be scheduled and run as a separate input. There is no way to post multiple queries as part of the same input.
... View more
10-15-2014
02:25 PM
1 Karma
I'm not as experienced with Informix (it's been a few years), but in general DB Connect cannot perform DDL types of operations (that would create/drop objects). Basic SELECT statements are the norm; if the database connection is not defined as read-only, you may also be able to perform DML (insert/update/delete) operations.
Also, just an observation but in general I have not had much luck with Splunk indexing queries that aren't fully qualified. It is generally considered bad programming practice to use "select *"; it is preferred to select only the columns you need, by name. With Splunk it is often necessary to detail timestamp columns and rising value columns by name in the input definition, regardless.
... View more
10-15-2014
02:02 PM
2 Karma
You can set up a user with the "SELECT ANY DICTIONARY" privilege, which will include access to to the V$ views without granting full DBA privileges. Unfortunately, it will also grant select access to certain dictionary tables that your DBA might not want exposed, like USER$, so no guarantees that this will be allowed. You should also be able to create a custom role with select access to the specific views you want, but this may take a while to fine-tune to the point where you're seeing everything you want.
The other thing to be aware of is that v$ views are extremely volatile - the information in them is constantly changing and is only accurate for the split second that the data is returned. Many database activities, including some entire sessions, are completed in milliseconds, so depending on what your refresh rate on your Splunk input is, you will likely miss a LOT of data, including events that you want to capture. Conversely, if your monitor rate is very fast, you will be collecting a lot of duplicate data on longer-running activities that will not really benefit you much, and will quickly exhaust your Splunk license - and still likely miss a lot of data on activities that you want to capture. A better option is to target specific activities that you want to monitor with general or fine-grained auditing, then Splunk the audit trails for changes. This allows you to focus your attention on the things that matter most, while not sucking up your Splunk license with a lot of data that will ultimately be meaningless.
For a complete step-by-step guide on configuring Splunk for Oracle and the various ways to collect data, including auditing, see the Real-Time Log File Analysis for Oracle 11g add-on.
... View more
