- Splunk Answers
- :
- Using Splunk
- :
- Splunk Dev
- :
- why db_connect can't output result to MySQL databa...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
why db_connect can't output result to MySQL database
I installed db_connect 3.1.2 on search head of SHC mode. I will output result to MySQL db from splunk search. I tried the following two methods, but MySQL database still has no data
search (alert type is real-time,use admin permission):
index=attackinfo|field _time src_ip dst_ip result system
1、save as an alert , add DBX output alert action trigger action
OR
2、add |dbxoutput output="outputAttackinfoToLiveMap" at the end of search
When some events passing through the search window,these events not output to MySQL?why?but I open search to running second search statement , These events are written to the MySQL
why event is not written to the Mysql when it is saved as a alert. but running search statement that can output to mysql db! I tried to modify the alert type to a cron expression,
-1m@m @m */1 * * * *
but still so
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The question still not resolved, and no one knows why?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am not sure, but as per doc :
DB Connect 3 does not support running scheduled task (input or output) on the search head in the Search head cluster deployment. You must run the scheduled task on a heavy forwarder.
Also, can you tell me database output setting you configured? Refer this doc:
http://docs.splunk.com/Documentation/DBX/3.1.1/DeployDBX/Createandmanagedatabaseoutputs
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi, @p_gurav
not support running scheduled task.
When I configure output , one option is "Scheduling", but I didn't check it, so I chose to use alert to output to MySQL database.
Do you mean scheduled task that refer to this option?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok. can you share database output you created?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@p_gurav
[outputAttackinfoToLiveMap]
connection = Connection_LiveMap
customized_mappings = src_ip:clientip:12,dst_ip:ipstr:12,result:attacktype:12;_time:attacktime:4,system:system:12
disabled=0
interval=* * * * * ?
is_saved_search = 0
query_timeout=
scheduled = 0
search = index=attackinfo|field _time src_ip dst_ip result system
table_name = `livemap`.`attack_log`
ui_query_catalog = livemap
ui_query_table = attack_log
using_upsert=0
This is what I entered manually,Because I can't copy information from the intranet
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
