Deployment Architecture

Splunk DB Connect: Why did my dbmon-tail input to fetch data from a SQL query stop tailing data after 1 day?

xbbj3nj
Path Finder

Hi,

I have setup a dbmon-tail to fetch data from a SQL query every 15 minutes. It works as expected for a day until night, and suddenly the next day it stops tailing data.

Select * from ArcUnion {{WHERE $rising_column$ > ?}}

In the interval I have set as 15m.

Can you please tell me what's the issue here?

0 Karma

karabsze
Path Finder

Have you also tried to change the interval to cron expression ?

0 Karma

vincenteous
Communicator

Does your dbx.log report anything related to an error? You may want to check that log instead of splunkd.log to start the troubleshoot process.

0 Karma

rickalmva
New Member

the "Rising Column" Timegenerated, is it like (or is) Unix Epoch, ever increasing or it is time of day, resetting to a lower value nightly ? Remember the query is looking for records where the value of Timegenerated is > (greater than) any value seen before.

Just checking the simple things

0 Karma

xbbj3nj
Path Finder

Rickamva,
Thanks for the response.
Timegenerated coloumn is ever increasing value, its a unix timestamp field which keeps on changing at any point of time.

0 Karma

mzorzi
Splunk Employee
Splunk Employee

try to use the full jdk installation from Oracle.

0 Karma

xbbj3nj
Path Finder

what do you meany by that ? you want me upgrade the DBX app ?

0 Karma

PPape
Contributor

Could you please paste your inputs.conf and did you check your splunkd.log for errors?

0 Karma

xbbj3nj
Path Finder

Hi ,

Below is my inputs.conf...

[dbmon-tail://Essmon_wnpcpdbeso01/ESO_DB_wnpcpdbeso01]
host = wnpcpdbeso01
index = eso
interval = 15m
output.format = mkv
output.timestamp = 1
output.timestamp.column = Timegenerated
query = Select * from ArcUnion {{WHERE $rising_column$ > ?}}
table = ESO_DB_wtpcpdbeso04
tail.rising.column = Timegenerated
disabled = 0

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...