Hello everyone,
I was successful in creating an index using an SQL query on an external MySQL database. But when I wanted to add one more field to this index from the DB, it would not update back data in the index with the new field. Only the data after the change have the new field.
SO I thought of deleting this index and re-creating one. But is there a one-shot load method for loading an external DB into an index?
Thanks in advance for your help.
With regards,
Manus
Configuring a dbmon-dump input is the right way to go. Configuration screens in the Splunk UI are sometimes incomplete or missing lesser used options, however. If you haven't done this already, you may have to edit the inputs.conf file for your app directly in order to get things working or formatted the way you want them to be.
Hi linu1988,
Thank you for your reply. I tried this but it is not allowing me to change that setting in the COnfig screen. All I can change is the SQL query.
configure the [dbmon-dump://..] to load the whole Table at once. Then configure the DB-tail to monitor it , but you wont be able to change the events once they are indexed.