All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

DBX Tail not indexing Microsoft SQL (new version 1.0.8)

ngcgoon
Explorer
‎04-02-2013 12:22 PM

Database Connector to my MSSQL (McAfee) is working and connecting fine however when I setup an input via tail instead of dump, I do not get any data into the specified index. I get a ERROR;TailDatabaseMonitor Could not allocate space for object dbo.SORT temporary run storage: 140844726157312 in database 'tempDB' because PRIMARY file group is full.
Then it tells me to clean out fileGroup data etc etc etc.

Since I am not the DBAdmin is this a DB issue that they will have to perform? Because this is not allowing me to get data into the index. I am using the ReceivedUTC as the incremental field. I have over 25 fields to pull out of the table, and I am polling for data every 15 minutes. I can see the tables and the databases and even make some queries manually however not thru the dbx inputs.

Anyone got any suggestions?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-02-2013 03:04 PM

Yes. It appears that you have chosen an unindexed field as your increment field, and the db server needs to sort the table to determine new rows, and you don't have enough temp space to sort a table that size. Your options would be to find an indexed field on that table, get fewer columns, use a more restrictive query, or increase the temp size. Without knowing much more, it's hard to say what your best choice would be.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-02-2013 03:04 PM

Yes. It appears that you have chosen an unindexed field as your increment field, and the db server needs to sort the table to determine new rows, and you don't have enough temp space to sort a table that size. Your options would be to find an indexed field on that table, get fewer columns, use a more restrictive query, or increase the temp size. Without knowing much more, it's hard to say what your best choice would be.

Reply
Solved! Jump to solution

ngcgoon
Explorer
‎04-12-2013 10:47 AM

UPDATE: Now the query does not use the tail effectively. I have RecievedUTC as the incrementing field (epoch) and I get the same records or no records at all. There are no log entries that show any errors either. So how can I query the database to send me events created from the previous hour?

0 Karma
Reply
Solved! Jump to solution

ngcgoon
Explorer
‎04-03-2013 01:47 PM

OK I shortened the queries to 128 or less and split them into about 5 separate ones. So for now it is working!

Thanks again for the response.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎04-03-2013 11:53 AM

sqlserver. the message and complaint is entirely from mssqlserver.

0 Karma
Reply
Solved! Jump to solution

ngcgoon
Explorer
‎04-03-2013 11:43 AM

Cool let me try that. I guess I have to get a dbadmin to adjust the temp space on the DB server...

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...