Splunk DB Connect upgrade: SQL Query for pulling O...

smcbride27 · ‎10-03-2017

After upgrading to DBX 3.1.1 from DBX 2.3.x My SQL query for pulling Oracle audit trails no longer works. I'm using a converted time stamp based off of the event time stamp for the rising column, and I've added in the additional WHERE statement to the query, per the guidelines. The query works in batch mode, but errors out when I select rising column. Any help would be greatly appreciated.

smcbride27 · ‎10-16-2017

It turns out that I found a bug with support. They went back to the developers and we have a work around.

Venkat_16 · ‎10-16-2017

We have the similar issue on DB Connect 2.4.x as well.
Could you please share the workaround?

richgalloway · ‎10-16-2017

So others might benefit, please share the workaround.

---
If this reply helps you, Karma would be appreciated.

smcbride27 · ‎10-16-2017

To work around the rising column issue non indexable columns need to be skipped in the sql query. (For me this was specifically for the audit trails on an Oracle Exadata). This was done by editing the sql queries manually in the $SPLUNK_HOME/etc/apps/splunk_app_db_connect/local directory in the db_inputs.conf file

Skipping columns causes a shift in the rising column index, so the checkpoint files need to be cleaned up as well. These files are under $SPLUNK_HOME/var/lib/splunk/modinputs/server/splunk_app_dbconnect

Note: Some of the above files and locations do NOT exist until the app is upgraded, and the migration completed.

smcbride27 · ‎10-03-2017

This is the error that I'm getting: java.sql.SQLException: Missing IN or OUT parameter at index:: 1

Venkat_16 · ‎10-16-2017

Any updates on the resolution please?

Splunk DB Connect upgrade: SQL Query for pulling Oracle audit trails stopped working

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!