I am trying to use the tail command but nothing seems to get into my index. I'm not doing a specific query, I just want to pull in the data to be indexed every 5 mins rather than doing a specific lookup or query. (still learning all the ins and outs of splunk). Basically I want to be able to correlate anything that's in the splunk index with values in my database (so if someone clicks on a hostname for instance, it pulls data from the database). My thoughts is using the database tail would put the data into the index and would automatically give me what I am looking for with much extra work. Am I off on my thinking?
Thanks,
Sean
Yes, indexing is one of the things DB Connect was designed for. It should pull in and index the data from your database.
Can you post your database.conf and inputs.conf to help diagnose why its not working?
Thats right. Lets us know if you see the data now in the main index. I'll see about clarifying what index means in the manager UI.
Dan, silly me, I figured that the SERIAL index was a database index and not a Splunk index. If I leave that empty will the data show up in the main index?
I'm looking at the index=SERIAL setting in your tail stanza. Do you have this set up as a Splunk index? Do you have permissions set up to search it by default?
Yes, that works perfectly fine. I can run my queries that I normally run against that database within splunk. I'm just not getting any data indexed it looks like. Like I said, I watch the logs and I can see the tail getting data (except it seems like it's stalled lately). So I'm a little stumped as to why I can search for the database data or why it doesn't show up when I search against a host name.
Can you successfully use the dbquery command to pull data from NCreporter?
So I was watching the dbx.log and I do see that the tail gets fired off, but I can't find any data relating to the ncreporter sourcetype.
inputs.conf
[script://$SPLUNK_HOME/etc/apps/dbx/bin/jbridge_server.py]
disabled = 0
[batch://$SPLUNK_HOME/var/spool/dbmon/*.dbmonevt]
crcSalt = <SOURCE>
disabled = 0
move_policy = sinkhole
sourcetype = dbmon:spool
[dbmon-tail://NCreporter/REPORTER_STATUS]
host = NODE
index = SERIAL
output.format = mkv
output.timestamp = 0
sourcetype = ncreporter
table = REPORTER_STATUS
tail.rising.column = SERIAL
interval = auto
disabled = 0
As requested (username and passwords removed):
database.conf
[NetCool]
database = reporter
host = thumper
password = ***removed***
port = 3306
readonly = 1
type = mysql
username = ***removed***
[NCreporter]
database = orcl.oracle.com
host = thumper
password = ***removed***
port = 1521
readonly = 1
type = oracle
username = ***removed***