All Apps and Add-ons

Splunk DB Connect tail doesn't work

Micmac
Path Finder

Hello,

I just install DB connect in tail mode on MySQL DB and the daemon tail never works.

Using Splunk UI I can successfully connect and query the MySQL DB.

dbx.log extract :

dbx6092:INFO:BridgeSession - Executing Bridge command: BridgeExecutionInfo{className=com.splunk.dbx.command.DatabaseQueryCommand}
dbx6092:INFO:DatabaseQueryCommand - action=executing SQL query="SELECT * FROM `<mytable>` WHERE `action` LIKE '%action%' " on database=<mydb>
dbx6092:WARN:DatabaseQueryCommand - SearchResultsInfo file null doesn't exist

My query return data as expected.

Below the Java Bridge Server Status (data get from UI DB apps -> setting -> "Java Bridge Server Status")
with my inputs.conf and database.conf.

If someone have any idea ... some additional test, file to see or anything else ?

Thanks,

Status for Splunkd{host='xxxx', sessionKey='xxxx'} (com.splunk.rest.Splunkd)
Splunkd REST connection with sessionKey=xxxxxx (VALID) requests=811

Status for Pooled database factory (com.splunk.dbx.sql.factory.PooledConnectionFactory)
Loaded databases:
    Database{name='<mydbname>', databaseType=MySQL{}, host='xx.xx.xx.xx', port=3306, username='xxxx', database='<mysqldb>'}
    Pool: GenericKeyedObjectPool{active=0, idle=1, maxActive=15, maxIdle=5}

Status for DatabaseMonitoringManager (com.splunk.dbx.monitor.DatabaseMonitoringManager)
Inputs:
    [dbmon-tail://<mydbname>/<mydevice>]: valid=true disabled=false scheduleType=AUTO interval=auto running=false

Status for JavaBridgeServer (com.splunk.bridge.JavaBridgeServer)
    listening on 127.0.0.1:17865 running=true executedSessions=41

Status for ProcessWatcher (com.splunk.bridge.JavaBridgeServer$ProcessWatcher)
    Watching pid file: /opt/splunk/var/run/splunk/dbx/dbx.lock with pid=22420 failures=0

cat inputs.conf

[script://./bin/jbridge_server.py]
disabled = 0

[batch://$SPLUNK_HOME/var/spool/dbmon/*.dbmonevt]
crcSalt = <SOURCE>
disabled = 0
move_policy = sinkhole
sourcetype = dbmon:spool

[dbmon-tail://<mydbname>/<mydevice>]
host = <myhost>
index = default
output.format = kv
output.timestamp = 1
output.timestamp.column = 1time
query = SELECT * FROM `1logs` WHERE `1action` LIKE '%action%'
sourcetype = db_mysql
tail.rising.column = 1time
interval = 60
table = mytable

cat database.conf
[mydbname]
database = mysqldb
host = xx.xx.xx.xx
isolation_level = DATABASE_SETTING
password = enc:xxxxxxxxxxx
port = 3306
readonly = 1
type = mysql
username = xxxxx

0 Karma
1 Solution

theouhuios
Motivator

You should use {{WHERE $rising_column$ > ?}} when its a tail input.

Please check this document

try this

SELECT * FROM `1logs` WHERE `1action` LIKE '%action%' {{AND $rising_column$ > ?}} 

View solution in original post

Micmac
Path Finder

Thanks !

I have missed it. After change inputs.conf and a restart of splunkd it was OK.
Tail daemon works and update as expected.

Do you know if the restart of splunkd is normally required or there is something specific to splunk DB Connect to take in consideration the change in .conf files ?

Thanks,

0 Karma

theouhuios
Motivator

You should use {{WHERE $rising_column$ > ?}} when its a tail input.

Please check this document

try this

SELECT * FROM `1logs` WHERE `1action` LIKE '%action%' {{AND $rising_column$ > ?}} 

Micmac
Path Finder

Thanks !

I have missed it. After change inputs.conf and a restart of splunkd it was OK.
Tail daemon works and update as expected.

Do you know if the restart of splunkd is normally required or there is something specific to splunk DB Connect to take in consideration the change in .conf files ?

Thanks,

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...