Deployment Architecture

DB Connect: Why is data not being indexed when an index is specified setting up a dbmon-tail?

helius
Path Finder

Hi all, I'm new to splunk but have been thrown into a project and need to figure things out on my own.

I'm using DBConnect app, dbmon-tail, and am placing the results into an index named content_eng.

When I setup the dbmon-tail, it works when I leave default/blank for the index.

What possibilities could cause it not to work with content_eng? It would seem like a permissions issue, just not sure. I've gone into Access controls » Roles and made sure the dbx user has all capabilities (to test, not perm), but that hasn't helped.

The index content_eng does exist on the indexers directly.

1 Solution

helius
Path Finder

I found the solution... Finally...

You need to forward the dbx/dbconnect data to the indexers by creating /app/splunk/etc/apps/dbx/local/outputs.conf. Then, place your indexer IPs in. Mine looks like:

[tcpout:bdn_indexers]
server=123.123.123.123:9997
autoLB=true
autoLBFrequency=30

I decided to mimic my primary forwarder's outputs.conf too which made it super easy.

View solution in original post

helius
Path Finder

I found the solution... Finally...

You need to forward the dbx/dbconnect data to the indexers by creating /app/splunk/etc/apps/dbx/local/outputs.conf. Then, place your indexer IPs in. Mine looks like:

[tcpout:bdn_indexers]
server=123.123.123.123:9997
autoLB=true
autoLBFrequency=30

I decided to mimic my primary forwarder's outputs.conf too which made it super easy.

lguinn2
Legend

You must create the index content_eng on the indexers in your environment. You don't say how your Splunk is configured, but if you are logged into a search head as the Splunk admin, you will not see the configurations on the indexers. If you are logged into the indexer as the Splunk admin, you should see the content_eng index under Settings > Data > Indexes. If you don't, then something is wrong with the configuration that was set up by the other team member.

You might want to find the stanza for [content_eng] in indexes.conf (there may be multiple copies of this file, so you may have to look in more than one place). If you can't see what's wrong, post the [content_eng] stanza here - and tell us where you found it.

Another thing that could affect this: are you using clustering?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...