Deployment Architecture

Do we have to have a mixed account to be able to connect to an external MSSQL database?

cogrunc
New Member

We experienced an issue regarding connecting splunk with mssql databases. When we try to add a mssql database, the external database adding page gets irresponsive and gives a message at the top of this page like "splunk server may be down".

Do we have to have a mixed account to be able to connect to an external MSSQL database?

0 Karma

jkat54
SplunkTrust
SplunkTrust

If by mixed account you mean an account who has 'nix GID and windows ID... the answer is no. The username/pass for the database server should be the windows domain user/pass.

First thing to do is the troubleshooting section: http://docs.splunk.com/Documentation/DBX/1.2.2/DeployDBX/Troubleshoot

Make sure you select your appropriate version. I gave link to 1.2.2, you can change the version in upper-ish right-ish corner of the page. You might also like to review the "enhanced" troubleshooting section of version 2 because they got into more driver troubleshooting, etc. in the latest documents (not all will apply but might help).

It for sure sounds like a timeout issue. So I would start by putting dbx into debug mode (covered in the link). Then I would check index=_internal log_level=ERR* OR log_level=WARN*. Post any errors and warnings related to db connect as comments.

Finally, you can telnet to test port 1433 is open, check error logs on the sql server, and many more things. It might take a while but we'd be happy to help you if you've got the time to update this post.

Here's a link for troubleshooting SQL TCP/IP Port Setup/etc.: https://support.microsoft.com/en-us/kb/823938

Note that in windows 2010+ and I've even seen in it 2008 i believe... the TCP/IP SQL configuration has new options. You have to enable TCP/IP on the instance, and also on the IPv4 address under advanced properties.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Are you using dbconnect? If so, which version 1 or 2? If not, how are you trying to connect splunk to the external db?

0 Karma

cogrunc
New Member

Hi @jkat54

I forgot to specify the version of dbconnect. I am using dbconnect v1.

Thanks for your reply.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...