Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

why db_connect can't output result to MySQL database

xsstest
Communicator
‎03-13-2018 04:57 AM

I installed db_connect 3.1.2 on search head of SHC mode. I will output result to MySQL db from splunk search. I tried the following two methods, but MySQL database still has no data

search (alert type is real-time,use admin permission):
index=attackinfo|field _time src_ip dst_ip result system

1、save as an alert , add DBX output alert action trigger action
OR
2、add |dbxoutput output="outputAttackinfoToLiveMap" at the end of search

When some events passing through the search window,these events not output to MySQL?why?but I open search to running second search statement , These events are written to the MySQL

why event is not written to the Mysql when it is saved as a alert. but running search statement that can output to mysql db! I tried to modify the alert type to a cron expression,

-1m@m @m */1 * * * *

but still so

Tags (1)
Reply

xsstest
Communicator
‎03-22-2018 08:26 AM

The question still not resolved, and no one knows why?

0 Karma
Reply

p_gurav
Champion
‎03-13-2018 05:13 AM

Hi,

I am not sure, but as per doc :
DB Connect 3 does not support running scheduled task (input or output) on the search head in the Search head cluster deployment. You must run the scheduled task on a heavy forwarder.

Also, can you tell me database output setting you configured? Refer this doc:
http://docs.splunk.com/Documentation/DBX/3.1.1/DeployDBX/Createandmanagedatabaseoutputs

0 Karma
Reply

xsstest
Communicator
‎03-13-2018 05:57 AM

hi, @p_gurav

not support running scheduled task.

When I configure output , one option is "Scheduling", but I didn't check it, so I chose to use alert to output to MySQL database.
Do you mean scheduled task that refer to this option?

0 Karma
Reply

p_gurav
Champion
‎03-13-2018 06:02 AM

Ok. can you share database output you created?

0 Karma
Reply

xsstest
Communicator
‎03-13-2018 05:47 PM

@p_gurav

[outputAttackinfoToLiveMap]
connection = Connection_LiveMap
customized_mappings = src_ip:clientip:12,dst_ip:ipstr:12,result:attacktype:12;_time:attacktime:4,system:system:12
disabled=0
interval=* * * * * ?
is_saved_search = 0
query_timeout=
scheduled = 0
search = index=attackinfo|field _time src_ip dst_ip result system
table_name = `livemap`.`attack_log`
ui_query_catalog = livemap
ui_query_table = attack_log
using_upsert=0

This is what I entered manually,Because I can't copy information from the intranet

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...