Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why heavy forwarder with DB Connect is sending logs with source type dbmon:spool, not sm_access?

justin_deutsch
Explorer
‎08-14-2014 11:39 PM

Hi,

I'm having some problems with DB Connect installed on a Heavy Forwarder. The logs appear to be shipped to the indexer, but they are being shipped with a source type of dbmon:spool not sm_access as defined in the configuration. Other log files being shipped through (i.e. not from the forwarder itself) the forwarder are being received correctly. The inputs.conf configuration is below.

[script://./bin/jbridge_server.py]
disabled = 0

[batch://$SPLUNK_HOME/var/spool/dbmon/*.dbmonevt]
crcSalt = <SOURCE>
disabled = 0
move_policy = sinkhole
sourcetype = dbmon:spool

[dbmon-tail://server_db/very_long_title-Test]
host = server2
index = tst_index_name
interval = 2 * * * *
output.format = kv
output.timestamp = 0
sourcetype = sm_access
table = smaccesslog4
tail.rising.column = db_TIMESTAMP

NB: The inputs.conf has been modified a little to remove sensitive information.

I am getting an error in the serverclass.conf, when I go to the Forwarder Management page on the forwarder. I can't see any errors in the file, but I've only just started playing with Splunk so I could very well be missing something.

[global]
repositoryLocation = $SPLUNK_HOME/etc/deployment-apps
targetRepositoryLocation = $SPLUNK_HOME/etc/apps
tmpFolder = $SPLUNK_HOME/var/run/tmp

stateOnClient = enabled

restartSplunkWeb = False
restartSplunkd = False

continueMatching = true
endpoint = $deploymentServerUri$/services/streams/deployment?name=$tenantName$:$senter code hereerverClassName$:$appName$

Has anyone got any ideas on what might be going on?

Thanks,

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mchang_splunk
Splunk Employee
Splunk Employee
‎10-13-2014 07:01 PM

Hi Justin,

DB connect stores dbmon-tail, dbmon-dump events to files named *.dbmonevt and indexed by batch setting in dbx inputs.conf.
The meta data such as host, sourcetype is stored in first line of *dbmonevt which needs props.conf to help on parsing to the right sourcetype, host, ...etc.

The root cause of this issue should be props.conf is not properly parsed.
Please check if it's really configured as a heavy forwarder or light weight forwarder.

If it's light weight forwarder, you may be able to fix this issue by installing db connect app in the indexer for parsing *.dbmonevt.

View solution in original post

Reply
Solved! Jump to solution
Solution

mchang_splunk
Splunk Employee
Splunk Employee
‎10-13-2014 07:01 PM

Hi Justin,

DB connect stores dbmon-tail, dbmon-dump events to files named *.dbmonevt and indexed by batch setting in dbx inputs.conf.
The meta data such as host, sourcetype is stored in first line of *dbmonevt which needs props.conf to help on parsing to the right sourcetype, host, ...etc.

The root cause of this issue should be props.conf is not properly parsed.
Please check if it's really configured as a heavy forwarder or light weight forwarder.

If it's light weight forwarder, you may be able to fix this issue by installing db connect app in the indexer for parsing *.dbmonevt.

Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...