Solved: Splunk DB Connect MSSQL DB Input does not work

gauravmishra15 · ‎03-11-2015

Hi All,

I am facing an issue with Splunk DB connect. I was able to create a Database connection (MSSQL) and add a Database input. The Database connection works but Database input (DBMon Tail) is not able to fetch the data from SQL. Here is my inputs.conf file -

[script://.\bin\jbridge_server.py]
disabled = 0

[batch://$SPLUNK_HOME\var\spool\dbmon*.dbmonevt]
crcSalt =
disabled = 0
move_policy = sinkhole
sourcetype = dbmon:spool

[dbmon-tail://DB_MyUAT/Table_LOG]
host = localhost
index = mssql
interval = 1h
output.format = mkv
output.timestamp = 1
output.timestamp.column = List_CREATE_DATE
output.timestamp.format = "yyyy-MM-dd HH:mm:ss.SSS"
query = SELECT * FROM [DB_MyUAT].[Sch_UAT].[Table_LOG] {{WHERE $rising_column$ > ?}}
sourcetype = Table_LOG
tail.rising.column = List_CREATE_DATE

table = Table_LOG

I did not find anything wrong in the DB side, I am able to run same query in DB using same account. I am not sure if I missed anything. Please suggest.

gauravmishra15 · ‎08-12-2015

All,

This issue was due to permission issue. The ID through which DBmon was created, did not have permission to write in the index. Issue was resolved by adding correct permissions.

View solution in original post

gauravmishra15 · ‎08-12-2015

All,

This issue was due to permission issue. The ID through which DBmon was created, did not have permission to write in the index. Issue was resolved by adding correct permissions.

Splunk DB Connect MSSQL DB Input does not work

table = Table_LOG

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases