Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

why db_connect can't output result to MySQL database

xsstest
Communicator
‎03-13-2018 04:57 AM

I installed db_connect 3.1.2 on search head of SHC mode. I will output result to MySQL db from splunk search. I tried the following two methods, but MySQL database still has no data

search (alert type is real-time,use admin permission):
index=attackinfo|field _time src_ip dst_ip result system

1、save as an alert , add DBX output alert action trigger action
OR
2、add |dbxoutput output="outputAttackinfoToLiveMap" at the end of search

When some events passing through the search window,these events not output to MySQL?why?but I open search to running second search statement , These events are written to the MySQL

why event is not written to the Mysql when it is saved as a alert. but running search statement that can output to mysql db! I tried to modify the alert type to a cron expression,

-1m@m @m */1 * * * *

but still so

Tags (1)
Reply

xsstest
Communicator
‎03-22-2018 08:26 AM

The question still not resolved, and no one knows why?

0 Karma
Reply

p_gurav
Champion
‎03-13-2018 05:13 AM

Hi,

I am not sure, but as per doc :
DB Connect 3 does not support running scheduled task (input or output) on the search head in the Search head cluster deployment. You must run the scheduled task on a heavy forwarder.

Also, can you tell me database output setting you configured? Refer this doc:
http://docs.splunk.com/Documentation/DBX/3.1.1/DeployDBX/Createandmanagedatabaseoutputs

0 Karma
Reply

xsstest
Communicator
‎03-13-2018 05:57 AM

hi, @p_gurav

not support running scheduled task.

When I configure output , one option is "Scheduling", but I didn't check it, so I chose to use alert to output to MySQL database.
Do you mean scheduled task that refer to this option?

0 Karma
Reply

p_gurav
Champion
‎03-13-2018 06:02 AM

Ok. can you share database output you created?

0 Karma
Reply

xsstest
Communicator
‎03-13-2018 05:47 PM

@p_gurav

[outputAttackinfoToLiveMap]
connection = Connection_LiveMap
customized_mappings = src_ip:clientip:12,dst_ip:ipstr:12,result:attacktype:12;_time:attacktime:4,system:system:12
disabled=0
interval=* * * * * ?
is_saved_search = 0
query_timeout=
scheduled = 0
search = index=attackinfo|field _time src_ip dst_ip result system
table_name = `livemap`.`attack_log`
ui_query_catalog = livemap
ui_query_table = attack_log
using_upsert=0

This is what I entered manually,Because I can't copy information from the intranet

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...