Does the SCCM App for Splunk work with Splunk DB C...

mikesangray · ‎10-08-2015

Anyone know if the SCCM app works with DB connect 2? We aren't having much success so far, and I want to make sure we are using a tested/supported DB Connect version before spending more time on it.

Richfez · ‎10-08-2015

You don't say where your problem appears, so this is just a stab in the dark.

I just went through setting up the SCCM app (and also getting that data into ES). It wasn't quite as straightforward as it first appeared. You have to create a db connection to our DB called sccm (IIRC). Then the db inputs will work against that. Have you done that step?

I used DB Connect v. 1. While I didn't see anything that shouldn't work with v2, in our environment we generally use pass-through authentication with our SQL instances using a domain login. DB Connect V2 had a bug, mentioned (with potential solution) here, in older versions that meant it wouldn't work out of the box for pass-through authentication. So make sure you have an updated dbx2 version (and double-check on that bug and that its fixed!)

If that still doesn't work, it is always useful to take it one step at a time. First, confirm your DB connection to your DB tests OK. Once that's built, make sure your DB inputs then seem to function. Maybe run the queries it's trying to run manually against the DB. Check your sccm and sccm_status indexes (you did create those, right? - though the app may have those in indexes.conf, I'm not sure because I had to build them on a different system because of our environment.)

So, if those help, great. If not, giving some specifics on what exactly isn't working would help.

Or, as a fall back, setting up DBXv1 is very easy and fast, and it can coexist happily with v2 on the same box!

mikesangray · ‎10-09-2015

We have DB auth working. I think the problem might be the indexes - we created indexes with different names e.g. test_sccm and test_sccm_status and modified the app inputs.conf file to reflect this...must the indexes be named sccm and sccm_status for the app to work? Also, the app creates the indexes on the same server it gets installed on and this is an issue for a distributed environment.

Richfez · ‎10-09-2015

Using whatever method appropriate to your environment you should create the indexes on the indexer. It SHOULD work to rename them if you change all the locations in inputs.

I would not be too worried about using a test index. You can easily clean or even delete and recreate the index to clean it. And resetting the rising value to grab all the history is easy too. But honestly, if the input works, well, then, the input worked. 😉

So at this point create those indexes wherever your SH would put the data, see what happens.

The app itself creates an "sccm_user" role too, and that iirc adds the indexes it created as ones to be searched in by default for members of that role. You will probably have to tweak that.

Oh, one last thought, the check data ingest by searching those indexes directly, that avoids any of the trickery that may obfuscate if it is working correctly. Like "index=sccm OR index=sccm_status" over a reasonable time periosd.

Let us know!

robert_miller · ‎01-08-2016

Did anyone ever get this working with DB Connect v2? I have had the same issue with no luck.

Does the SCCM App for Splunk work with Splunk DB Connect 2?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!