Splunk Dev

why db_connect can't output result to MySQL database

xsstest
Communicator

I installed db_connect 3.1.2 on search head of SHC mode. I will output result to MySQL db from splunk search. I tried the following two methods, but MySQL database still has no data

search (alert type is real-time,use admin permission):
index=attackinfo|field _time src_ip dst_ip result system

1、save as an alert , add DBX output alert action trigger action
OR
2、add |dbxoutput output="outputAttackinfoToLiveMap" at the end of search

When some events passing through the search window,these events not output to MySQL?why?but I open search to running second search statement , These events are written to the MySQL

why event is not written to the Mysql when it is saved as a alert. but running search statement that can output to mysql db! I tried to modify the alert type to a cron expression,

-1m@m @m */1 * * * *

but still so

Tags (1)

xsstest
Communicator

The question still not resolved, and no one knows why?

0 Karma

p_gurav
Champion

Hi,

I am not sure, but as per doc :
DB Connect 3 does not support running scheduled task (input or output) on the search head in the Search head cluster deployment. You must run the scheduled task on a heavy forwarder.

Also, can you tell me database output setting you configured? Refer this doc:
http://docs.splunk.com/Documentation/DBX/3.1.1/DeployDBX/Createandmanagedatabaseoutputs

0 Karma

xsstest
Communicator

hi, @p_gurav

not support running scheduled task.

When I configure output , one option is "Scheduling", but I didn't check it, so I chose to use alert to output to MySQL database.
Do you mean scheduled task that refer to this option?

0 Karma

p_gurav
Champion

Ok. can you share database output you created?

0 Karma

xsstest
Communicator

@p_gurav

[outputAttackinfoToLiveMap]
connection = Connection_LiveMap
customized_mappings = src_ip:clientip:12,dst_ip:ipstr:12,result:attacktype:12;_time:attacktime:4,system:system:12
disabled=0
interval=* * * * * ?
is_saved_search = 0
query_timeout=
scheduled = 0
search = index=attackinfo|field _time src_ip dst_ip result system
table_name = `livemap`.`attack_log`
ui_query_catalog = livemap
ui_query_table = attack_log
using_upsert=0

This is what I entered manually,Because I can't copy information from the intranet

0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...