I found the solution !
after watching logs (tail - 50) from $SPLUNK_HOME/var/log/splunk/splunk_app_db_connect_server.log, i realised that the problem was in the JVM command option! the error was :
HTTP Error 400, HEC response body: {"text":"Error in handling indexed fields","code":15,"invalid-event-number":0}
==>Solution :
Http Event Collector expects to receive dates in format: timestamp.microsecondes
Splunk DB connect transforms dates in this format via Java. If the default locale takes the comma as the decimal separator, the problems start ...
To solve this problem :
In Splunk DB Connect > Configuration> Settings> General, add the option in JVM Options:
* -Duser.language=en *
Save, java server restarts.
I've got help from this question
... View more