Deployment Architecture

Splunk DB Connect not indexing

ktang
Explorer

Greetings Splunk Answers,

I am having an issue with the Splunk DB Connect app where database inputs are not indexing.
I'm using dbmon-dump and dbmon-tail to query my DB as data sources. I can see a return of result counts in the dbx.log when the dbmon-dump monitor runs, yet a Splunk search using "source = dbmon-dump://~" does not produce the key-value data from DB table that I am expecting.

There are no issues with the db connection. Running an sql statement in DB query produces the key-value data of my table.

Is anybody experiencing a similar issue with the Splunk DB Connect app? Am I doing this wrong?
Any assistance is appreciated.

Thanks,
ktang

Tags (1)
0 Karma
1 Solution

ktang
Explorer

It looks like the DBX app was working all this time... and my searches were wrong.

View solution in original post

0 Karma

ktang
Explorer

It looks like the DBX app was working all this time... and my searches were wrong.

0 Karma

melonman
Motivator

Hi ktang,

connection to DB is OK, and dbx.log shows row counts, then next you need to check is the intermediate file is actually created and indexed.

I think DBX actually get inputs through the following directry as batch input.

${SPLUNK_HOME}/var/spool/dbmon/*.dbmonevt

and by default, the batch input for the directory is enabled, but if you manually diable it, probable, splunk won't eat DB input even though java bridge actuary read rows from DBMS.

melonman
Motivator

so the directory is configured as batch input with sinkhole option. That means input file is deleted after index is completed. So you may or may not not see anything under that directory, depending on the timing. As long as that directory is configured and you have not touched the config, then you should be OK.

and, good to hear you see DB Connect is working 🙂

0 Karma

ktang
Explorer

thanks for responding.

The batch input is enabled in my local inputs.conf file.

[batch://$SPLUNK_HOME/var/spool/dbmon/*.dbmonevt]
crcSalt =
disabled = 0
move_policy = sinkhole
sourcetype = dbmon:spool

I've checked:
${SPLUNK_HOME}/var/spool/dbmon/*.dbmonevt

..no *.dbmonevt files are in the dir.

Looks like the problem is here and has to do with why .dbmonevt files are not seen with batch input enabled..?

Since I haven't got database inputs working, I'm not sure what to expect from the batch input.

Do you have this working? What do you have in
$SPLUNK_HOME/var/spool/dbmon?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...