All Apps and Add-ons

How do I troubleshoot why an Index isn't getting all the data from a query for some records using DB Connect?

JustinV
Engager

I am using Splunk DB Connect and most rows are being populated correctly. I do have some rows that are not getting data for all the columns. When I look at the source DB using either SQL Management Studio or the DB Connect app, I do see that all the columns are populated, but when I look at the indexed data on Splunk, I see that after a description column, that the rest of the columns are not getting put into the index. This is only for some records. One thing I noticed on one of the broken records is that after the 50th character in the description column, the rest of the text in the description column isn't showing up in the index. There are also some carriage returns after the 50th character but there are a few characters before the carriage returns that aren't showing up. When I look at the Database info, the description column shows is a varchar(255) column.

What can I do to troubleshoot why it stops indexing the row while it's loading the description column?

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Are you using the single-line key-value format from DB Connect?

If so, switch to multi-line key-value format - I'm guessing your description has line breaks in it, causing the single-line key-value format to start a new event... your tailing partial events will be somewhere, but possibly under different timestamps.

View solution in original post

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Are you using the single-line key-value format from DB Connect?

If so, switch to multi-line key-value format - I'm guessing your description has line breaks in it, causing the single-line key-value format to start a new event... your tailing partial events will be somewhere, but possibly under different timestamps.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The input setting will only affect new data, old data will be unchanged.

Some field extractions may need to be adjusted though.

0 Karma

JustinV
Engager

We are using single-line key-value. If I change this to multi-line, what will happen to all the old data? We currently have 1 year of history data and I can't lose it.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...