All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Query Data Not Going into Index with DBConnect

weicai88
Path Finder
‎01-15-2016 09:05 AM

Hi,

I use DBConnect 2 to pull McAfee endpoint security data from ePO into Splunk and that part works great. However, when I tried to pull additional audit data from the same database, the data won't show up in the index. The test of the SQL query in the DBConnect connection was successful and there's no error in the splunkd.log. Here's the stanza in the inputs.conf:

[mi_input://ta_mcafee_epo_5_input:audit]
disabled = 0
host = <SQL Host Name>
connection = <Connection Name>
index = mcafee
interval = * * * * *
max_rows = 10000
output_timestamp_format = YYYY-MM-dd HH:mm:ss

changed "SELECT TOP 10000" to just "SELECT" because it's not working with DBXv2

query = SELECT [AutoId],[UserId],[UserName],[Priority],[CmdName],[Message],[Success],[StartTime],[EndTime],[RemoteAddress],[TenantId] FROM [ePO_MTIB-EPO-APP].[dbo].[OrionAuditLogMT] WHERE [AutoID] >10000
sourcetype = mcafee:audit
source = dbx1
mode = tail
tail_follow_only = 1
tail_rising_column_name = AutoID
tail_rising_column_number = 2
ui_query_mode = advanced
input_timestamp_column_name = timestamp
input_timestamp_column_number = 1
tail_rising_column_checkpoint_value = 10000

What could be the problem?

Thanks!
Wei

0 Karma
Reply

thirulog
New Member
‎12-04-2017 09:01 PM

Wei,

did u find any solution for your issue

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎01-17-2016 06:57 PM

Do you have your DB configured to use case-sensitive column names? If so, check for proper spelling of your "AuditID" column, as you used inconsistent spelling. I suspect that it's not the case since you said the query works fine by itself, but thought I'd point it out anyways.
Also, if you want to use a rising column, your SQL statement needs to include {{WHERE $rising_column$ > ?}}

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...