Deployment Architecture

Why heavy forwarder with DB Connect is sending logs with source type dbmon:spool, not sm_access?

justin_deutsch
Explorer

Hi,

I'm having some problems with DB Connect installed on a Heavy Forwarder. The logs appear to be shipped to the indexer, but they are being shipped with a source type of dbmon:spool not sm_access as defined in the configuration. Other log files being shipped through (i.e. not from the forwarder itself) the forwarder are being received correctly. The inputs.conf configuration is below.

[script://./bin/jbridge_server.py]
disabled = 0

[batch://$SPLUNK_HOME/var/spool/dbmon/*.dbmonevt]
crcSalt = <SOURCE>
disabled = 0
move_policy = sinkhole
sourcetype = dbmon:spool

[dbmon-tail://server_db/very_long_title-Test]
host = server2
index = tst_index_name
interval = 2 * * * *
output.format = kv
output.timestamp = 0
sourcetype = sm_access
table = smaccesslog4
tail.rising.column = db_TIMESTAMP

NB: The inputs.conf has been modified a little to remove sensitive information.

I am getting an error in the serverclass.conf, when I go to the Forwarder Management page on the forwarder. I can't see any errors in the file, but I've only just started playing with Splunk so I could very well be missing something.

[global]
repositoryLocation = $SPLUNK_HOME/etc/deployment-apps
targetRepositoryLocation = $SPLUNK_HOME/etc/apps
tmpFolder = $SPLUNK_HOME/var/run/tmp

stateOnClient = enabled

restartSplunkWeb = False
restartSplunkd = False

continueMatching = true
endpoint = $deploymentServerUri$/services/streams/deployment?name=$tenantName$:$senter code hereerverClassName$:$appName$

Has anyone got any ideas on what might be going on?

Thanks,

0 Karma
1 Solution

mchang_splunk
Splunk Employee
Splunk Employee

Hi Justin,

DB connect stores dbmon-tail, dbmon-dump events to files named *.dbmonevt and indexed by batch setting in dbx inputs.conf.
The meta data such as host, sourcetype is stored in first line of *dbmonevt which needs props.conf to help on parsing to the right sourcetype, host, ...etc.

The root cause of this issue should be props.conf is not properly parsed.
Please check if it's really configured as a heavy forwarder or light weight forwarder.

If it's light weight forwarder, you may be able to fix this issue by installing db connect app in the indexer for parsing *.dbmonevt.

View solution in original post

mchang_splunk
Splunk Employee
Splunk Employee

Hi Justin,

DB connect stores dbmon-tail, dbmon-dump events to files named *.dbmonevt and indexed by batch setting in dbx inputs.conf.
The meta data such as host, sourcetype is stored in first line of *dbmonevt which needs props.conf to help on parsing to the right sourcetype, host, ...etc.

The root cause of this issue should be props.conf is not properly parsed.
Please check if it's really configured as a heavy forwarder or light weight forwarder.

If it's light weight forwarder, you may be able to fix this issue by installing db connect app in the indexer for parsing *.dbmonevt.

Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...