Splunk Enterprise Version:220.127.116.11; Build: fb30470262e3
Splunk DB Connect Version: 3.1.4; Build: 43
I've installed DB Connect and Splunk enterprise on a trial basis.
I've installed the correct jdbc driver for SQl server and was able to define Inputs, connections, and identities.
I've gone into the SQL Explorer and generated queries that I opened in Search in the DB Connect page.
I've even cut-and-pasted the search expression from the Db Connect search page into the Search & Reporting page.
...so far, so good.
However, in the Search and Reporting page, I only see a "Waiting for Data" message in the Data Summary page, and if I click the Data Summary button, I only see a "waiting for results..." message under the Hosts, Sources, and Sourcetypes tabs — I thought I would see the sourcetypes that were generated under DB Connect.
In the splunkd.log, I see the following error msgs:
ERROR ExecProcessor - message from ""C:\Program Files\Splunk\etc\apps\splunk_app_db_connect\windows_x86_64\bin\server.exe"" 15:33:23.311 [main] INFO com.splunk.dbx.utils.TrustManagerUtil - action=load_key_manager_succeed
The following two messages are repeated:
ERROR ExecProcessor - message from ""C:\Program Files\Splunk\etc\apps\splunk_app_db_connect\windows_x86_64\bin\server.exe"" action=default_task_server_not_found
ERROR ExecProcessor - message from ""C:\Program Files\Splunk\etc\apps\splunk_app_db_connect\windows_x86_64\bin\server.exe"" com.splunk.dbx.server.bootstrap.TaskServerStart.startTaskServer(TaskServerStart.java:90)\\com.splunk.dbx.server.bootstrap.TaskServerStart.streamEvents(TaskServerStart.java:72)\\com.splunk.modularinput.Script.run(Script.java:66)\\com.splunk.modularinput.Script.run(Script.java:44)\\com.splunk.dbx.server.bootstrap.TaskServerStart.main(TaskServerStart.java:150)\\
I believe there is a configuration problem, but I can't find where to look for it, or frankly, what it might be..
... View more
Db Connect: I don't see any events in the Data Lab/Find Events of a defined input; source and source type don't show in the data summary
Splunk DB Connect
I'm a splunk newbie.
I've created the database input and successfully tested the query in the Data Lab.
When I do a Find Events on the input, I don't see any events despite using "all Time"
I don't see the source or source type in the data summary of the search page either
... View more
I'm a Splunk newbie, so feel free to challenge any of my assumptions.
I'm tasked with integrating our proprietary product's event/alert database.
I believe the correct approach (in a simple case) is to install DB Connect and a (universal/heavy?) forwarder on the database server host and Splunk enterprise as an indexer/search head on a "query/reporting" host.
The difficulty that I'm encountering is that at least one table has a column that contains XML; this XML describes a variable list of additional fields based on the event/alert type (similar to a Windows event log); some of these additional fields include text with commas, which screws up the CSV processing.
These fields should be searchable, and select-able, on the search head, but I'm not sure what the best approach to processing them should be.
I started to look into custom search commands to transform the SQL Server record into an appropriate form:
A CSV representation seems to be a problem, not just due to delimiting characters in the field text, but to output the header row, all records must be processed to determine the set of additional fields.
One option is to convert the data into to a "key=value;" representation.
Can I define a custom source type to handle the data?
I expect the answer is probably a combination of these approaches.
BTW, I installed Splunk Enterprise and Splunk DB Connect, but even with a reduced set of records, I violated the daily limits on the demo license. Advice on avoiding this would be helpful.
... View more