When I use this: |dbquery xxx "SELECT to_char(ORDERS.TIMEPLACED, 'hh24') || ':00:00-' || to_char(ORDERS.TIMEPLACED + 1/24, 'hh24') || ':00:00' as RANGE, DECODE(ORDERITEMS.SHIPMODE_ID,10053,'NDD-HOME',10054,'NDD-SYW',10058,'STD-HOME') as SHIPMODE, COUNT(distinct ORDERS.ORDERS_ID) as ORDER_COUNT FROM WCSRT.ORDERS, WCSRT.ORDERITEMS WHERE ORDERS.ORDERS_ID=ORDERITEMS.ORDERS_ID AND ORDERS.STATUS in ('S','C','M') AND trunc(ORDERS.timeplaced)=trunc(sysdate) AND to_char(WCSRT.ORDERS.TIMEPLACED, 'hh24')<=24 AND to_char(ORDERS.TIMEPLACED, 'hh24') NOT IN (select to_char(sysdate, 'hh24') from dual) AND ORDERITEMS.SHIPMODE_ID in (10053,10054,10058) GROUP BY to_char(ORDERS.TIMEPLACED, 'hh24') || ':00:00-' || to_char(ORDERS.TIMEPLACED + 1/24, 'hh24') || ':00:00', ORDERITEMS.SHIPMODE_ID ORDER BY RANGE" I get valid results. But when i try this: |dbxquery coonnection=xxx query="SELECT to_char(ORDERS.TIMEPLACED, 'hh24') || ':00:00-' || to_char(ORDERS.TIMEPLACED + 1/24, 'hh24') || ':00:00' as RANGE, DECODE(ORDERITEMS.SHIPMODE_ID,10053,'NDD-HOME',10054,'NDD-SYW',10058,'STD-HOME') as SHIPMODE, COUNT(distinct ORDERS.ORDERS_ID) as ORDER_COUNT FROM WCSRT.ORDERS, WCSRT.ORDERITEMS WHERE ORDERS.ORDERS_ID=ORDERITEMS.ORDERS_ID AND ORDERS.STATUS in ('S','C','M') AND trunc(ORDERS.timeplaced)=trunc(sysdate) AND to_char(WCSRT.ORDERS.TIMEPLACED, 'hh24')<=24 AND to_char(ORDERS.TIMEPLACED, 'hh24') NOT IN (select to_char(sysdate, 'hh24') from dual) AND ORDERITEMS.SHIPMODE_ID in (10053,10054,10058) GROUP BY to_char(ORDERS.TIMEPLACED, 'hh24') || ':00:00-' || to_char(ORDERS.TIMEPLACED + 1/24, 'hh24') || ':00:00', ORDERITEMS.SHIPMODE_ID ORDER BY RANGE". I get 'no results found'. Can someone explain why DBXquery does not work as smoothly as DBQuery ? How do I convert my current DBQueries to work with DBXQuery as well? ... View more

We have Splunk DB Connect 2 installed on two heavy forwarders, but the health dashboards work on none ("no results found"). We have another environment with DB Connect installed on the search head. In that case, the dashboard seems to work fine. I know that the internal logs from the heavy forwarders are forwarded to our indexers. Is that the reason why the heath dashboard won't work? Note: I also don't see any errors when I click the "RPC Service", (which also runs a search on the internal index). I believe its standard practice to forward internal logs from HFs to indexer. In that case, what is the point of the health dashboard on a distributed environment? (This is of course assuming that my analysis of the problem is correct in the first place). Splunk support were not able to suggest any solutions when we raised this as a case. They advised upgrading the app, which we did (from 2.0.3 to 2.1.1). This made no difference to the issue. ... View more

We have upgraded a Splunk universal forwarder from Splunk 6.1.2 to 6.2.2 a couple of days back. I checked the version in the forwarder after upgrading, using the ./splunk version command and it showed "Splunk Universal Forwarder 6.2.2 (build 255606)", but the S.o.S - Splunk on Splunk app on the search head still shows the Universal Forwarder version as 6.1.2 under deployment Status> Deployment Topology. I checked the splunk_instances_info.csv lookup table for hints and it too has the UF version listed as 6.1.2. The Search head itself is running Splunk 6.2.2 (if that matters). I have restarted the Search head a couple of times, but it's not picking up the correct Splunk UF version. Can anyone help? Thanks, Saikat ... View more

We have a database data input which has stopped pulling data from an oracle database over the last 7-8 hours. I have tried disabling and re enabling the data inputs to no effect. i have also gone to manage apps> splunk DB connect>view objects and disabled and re enabled the object related to that database but no luck there either. Then i tried to restart the splunk services on the indexers, one of them started fine but the other one keeps going into upgrade setup every time we try to start or stop it (it mistakes the start/stop for upgrade request, I presume). Has anyone faced this forced upgrade issue before? How to troubleshoot it? Do you think the two issues are related? Will restarting services on the indexer solve the first issue? ... View more

We have been trying to restart splunk services on a forwarder as it had stopped working some time back, but when you try any option (start/stop), splunk seems to enter an upgrade setup and the following message turns up: Do you agree with this license? [y/n]: y This appears to be an upgrade of Splunk. --------------------------------------------------------------------------------) Splunk has detected an older version of Splunk installed on this machine. To finish upgrading to the new version, Splunk's installer will automatically update and alter your current configuration files. Deprecated configuration files will be renamed with a .deprecated extension. You can choose to preview the changes that will be made to your configuration files before proceeding with the migration and upgrade: If you want to migrate and upgrade without previewing the changes that will be made to your existing configuration files, choose 'y'. If you want to see what changes will be made before you proceed with the upgrade, choose 'n'. Perform migration and upgrade without previewing configuration changes? [y/n] n -- Migration information is being logged to '/apps/splunk/var/log/splunk/migration.log.2015-04-23.11-49-27' -- Migrating to: VERSION=6.1.2 BUILD=213098 PRODUCT=splunk PLATFORM=Linux-x86_64 ********** BEGIN PREVIEW OF CONFIGURATION FILE MIGRATION ********** An error occurred: In order to migrate, Splunkd must not be running. [splunkadm@s220823vaps7016 bin]$ Has anyone else faced this? Please suggest what can be done to fix this. Please note this is happening on only the particular forwarder. ... View more