Splunk DB Connect: How to troubleshoot why I'm not...

markvanrooyen · ‎12-07-2015

I'm pretty new to Splunk so am configuring this with the help of the guides. I have configured the Splunk DB Connect 2 app to query a table in my MS SQL server.

Everything shows a valid connection when configuring the data input and the query returns data for me to configure it with. I have a rising column set and when checking the rpc.log, I can see the query running. In here, the query says

RisingColumnName > ? ORDER BY RisingColumnName ASC

of course replacing RisingColumnName with the actual column - I'm not sure if the ? is just something to do with Splunk or if this should in fact be the ID for the rising column?

Not sure what to look at now. I just can't get any of my data from SQL into SplunK!

richgalloway · ‎12-07-2015

The question mark is where the last-seen value of RisingColumnName is inserted by DB Connect when submitting the query. You must enclose the WHERE clause (or a subset of it) in double braces "{{}}" for it to work. Check dbx.log for errors.

---
If this reply helps you, Karma would be appreciated.

Splunk DB Connect: How to troubleshoot why I'm not getting any of my MS SQL data in Splunk?

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...