Hi, The same change applies to *LOB fields, only that one was implemented in v2. IIRC v1 would run them through strings to see if something came out... v2 and v3 just throw an error. ... View more

Hi, I apologize, we did change the behavior in v3. The SQL standards have never been very clear about what to do with columns that don't have data in them. Review https://en.wikipedia.org/wiki/Null_(SQL) for more background. DB Connect and Splunk do not render the NULL character, but instead replace it. In DBX 2.x, a database NULL was transformed to the ASCII string "NULL", which is misleadingly ambiguous. Is this empty, or the last name "Null"? Upon reflection and review of bugs, we settled on the principle that we should not alter customer data any more. Because database schemas may change and behavior has changed over the evolution of DB Connect, customers should consider using eval or fillnull to ensure that SQL searches are robust. https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Fillnull http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval ... View more

thanks for the help Tyler! ... View more

Cool. FWIW, we don't document this yet because it's not stable, as you've found. Glad it worked for you! ... View more

hi, next interval means the next time that it should have run... let's say the input is set to run every 10 minutes and it's started at 12:00 with a bad password. In DBX2, it would start at 12:00:00, 12:00:10, 12:00:20, 12:00:30, 12:00:40, 12:00:50, 12:01:00, and then self-disable. In DBX3, it would start at 12:00:00, 12:10:00, 12:20:00, &c, and never self-disable. ... View more

DB Connect v3 uses a local HEC to push data into Splunk. Otherwise, this is correct advice. I also suggest the index=_internal logs, perhaps a search for error and port would be helpful. ... View more

DB Connect v3 uses a local HEC to push data into Splunk ... View more

It uses system time. ... View more

http://docs.splunk.com/Documentation/DBX/3.0.1/DeployDBX/Installdatabasedrivers#Supported_databases ... View more

Try adding an ORDER BY. ... View more

here's another option: http://docs.splunk.com/Documentation/StreamApp/7.0.1/DeployStreamApp/ConfigureFlowcollector ... View more

I don't remember the answer for DBX version 1, but DB Connect 3 allows you to update the query without resetting the checkpoint. ... View more

The Splunk time selector element allows users to switch from exact time representations (between then and now) and relative time representations (earlier than a week ago). Unfortunately the SQL needed to handle these two types of time is different, so customization of the form to limit available time input formats is advised. ... View more

http://docs.splunk.com/Documentation/AddOns/released/Overview/Syslogandtimestamps and http://docs.splunk.com/Documentation/DBX/3.0.0/DeployDBX/Troubleshooting#Incorrect_timestamp_behavior might help as well. ... View more

I'd advise using DB Connect 3 if you're going to use automatic configuration. The different types of inputs are separated into different files, rising column checkpoints are separated into a different location, and SQL parsing is strictly WYSIWYG. One gotcha in 3.0.0 is that you've got to "seed" the rising column file in your script. ... View more

because that's supported by default, I would expect it to work out of the box. Try rolling back any customizations? ... View more