Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why heavy forwarder with DB Connect is sending logs with source type dbmon:spool, not sm_access?

justin_deutsch
Explorer
‎08-14-2014 11:39 PM

Hi,

I'm having some problems with DB Connect installed on a Heavy Forwarder. The logs appear to be shipped to the indexer, but they are being shipped with a source type of dbmon:spool not sm_access as defined in the configuration. Other log files being shipped through (i.e. not from the forwarder itself) the forwarder are being received correctly. The inputs.conf configuration is below.

[script://./bin/jbridge_server.py]
disabled = 0

[batch://$SPLUNK_HOME/var/spool/dbmon/*.dbmonevt]
crcSalt = <SOURCE>
disabled = 0
move_policy = sinkhole
sourcetype = dbmon:spool

[dbmon-tail://server_db/very_long_title-Test]
host = server2
index = tst_index_name
interval = 2 * * * *
output.format = kv
output.timestamp = 0
sourcetype = sm_access
table = smaccesslog4
tail.rising.column = db_TIMESTAMP

NB: The inputs.conf has been modified a little to remove sensitive information.

I am getting an error in the serverclass.conf, when I go to the Forwarder Management page on the forwarder. I can't see any errors in the file, but I've only just started playing with Splunk so I could very well be missing something.

[global]
repositoryLocation = $SPLUNK_HOME/etc/deployment-apps
targetRepositoryLocation = $SPLUNK_HOME/etc/apps
tmpFolder = $SPLUNK_HOME/var/run/tmp

stateOnClient = enabled

restartSplunkWeb = False
restartSplunkd = False

continueMatching = true
endpoint = $deploymentServerUri$/services/streams/deployment?name=$tenantName$:$senter code hereerverClassName$:$appName$

Has anyone got any ideas on what might be going on?

Thanks,

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mchang_splunk
Splunk Employee
Splunk Employee
‎10-13-2014 07:01 PM

Hi Justin,

DB connect stores dbmon-tail, dbmon-dump events to files named *.dbmonevt and indexed by batch setting in dbx inputs.conf.
The meta data such as host, sourcetype is stored in first line of *dbmonevt which needs props.conf to help on parsing to the right sourcetype, host, ...etc.

The root cause of this issue should be props.conf is not properly parsed.
Please check if it's really configured as a heavy forwarder or light weight forwarder.

If it's light weight forwarder, you may be able to fix this issue by installing db connect app in the indexer for parsing *.dbmonevt.

View solution in original post

Reply
Solved! Jump to solution
Solution

mchang_splunk
Splunk Employee
Splunk Employee
‎10-13-2014 07:01 PM

Hi Justin,

DB connect stores dbmon-tail, dbmon-dump events to files named *.dbmonevt and indexed by batch setting in dbx inputs.conf.
The meta data such as host, sourcetype is stored in first line of *dbmonevt which needs props.conf to help on parsing to the right sourcetype, host, ...etc.

The root cause of this issue should be props.conf is not properly parsed.
Please check if it's really configured as a heavy forwarder or light weight forwarder.

If it's light weight forwarder, you may be able to fix this issue by installing db connect app in the indexer for parsing *.dbmonevt.

Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...