- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- DBConnect 3 : not getting data writen into splunk ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Guys,
I'm new to Dbconnect but i have this urgent problem.
from the application, i created an input (mode=rising) based on a rising column timestamp created in oracle DB.
query:
**SELECT DISTINCT * FROM "DB"."TABLE"
WHERE TIME > ?
ORDER BY TIME ASC*
The execution of the query in rising mode is successful !! but then NO DATA created in splunk!
i tracked down the error:
2019-04-23 11:43:01.645 +0100 INFO c.s.dbx.server.task.listeners.JobMetricsListener - action=collect_job_metrics connection=DB jdbc_url=null db_read_time=4 hec_record_process_time=350 format_hec_success_count=1000 status=FAILED input_name=test2 batch_size=1000 error_threshold=N/A is_jmx_monitoring=false start_time=2019-04-23_11:43:00 end_time=2019-04-23_11:43:01 duration=1643 read_count=1000 write_count=0 filtered_count=0 error_count=0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found the solution !
after watching logs (tail - 50) from $SPLUNK_HOME/var/log/splunk/splunk_app_db_connect_server.log, i realised that the problem was in the JVM command option! the error was :
HTTP Error 400, HEC response body: {"text":"Error in handling indexed fields","code":15,"invalid-event-number":0}
==>Solution :
Http Event Collector expects to receive dates in format: timestamp.microsecondes
Splunk DB connect transforms dates in this format via Java. If the default locale takes the comma as the decimal separator, the problems start ...
To solve this problem :
In Splunk DB Connect > Configuration> Settings> General, add the option in JVM Options:
*-Duser.language=en*
Save, java server restarts.
I've got help from this question
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found the solution !
after watching logs (tail - 50) from $SPLUNK_HOME/var/log/splunk/splunk_app_db_connect_server.log, i realised that the problem was in the JVM command option! the error was :
HTTP Error 400, HEC response body: {"text":"Error in handling indexed fields","code":15,"invalid-event-number":0}
==>Solution :
Http Event Collector expects to receive dates in format: timestamp.microsecondes
Splunk DB connect transforms dates in this format via Java. If the default locale takes the comma as the decimal separator, the problems start ...
To solve this problem :
In Splunk DB Connect > Configuration> Settings> General, add the option in JVM Options:
*-Duser.language=en*
Save, java server restarts.
I've got help from this question
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Is HEC running on the heavy forwarder and did you make a token for dbconnect?
You could try Debug HTTP Event Collector port issues in the troubleshooting page:
https://docs.splunk.com/Documentation/DBX/3.1.4/DeployDBX/Troubleshooting
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The token is created by the app as db-connect-http-input
the port unchanged by default 8080, ssl is enabled
it's not a distributed environment, it's a full (all-in) instance.
i checked index=_internal 8088 for errors but in vain.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
