Solved: Splunk DBConnect Can't write data

tiagofbmm · ‎06-14-2018

Hello All

DBConnect 3.1.3 is avoiding me to index data from Databases, although the input configuration actually works fine, I can see the query results.

But when the scheduled input runs on a regular basis, I get this error and data is never written to the index.

[QuartzScheduler_Worker-16] ERROR c.s.d.s.task.listeners.RecordWriterMetricsListener - action=unable_to_write_batch
java.io.IOException: HTTP Error 400: Bad Request
    at com.splunk.dbx.server.dbinput.recordwriter.HttpEventCollector.uploadEventBatch(HttpEventCollector.java:112)
    at com.splunk.dbx.server.dbinput.recordwriter.HttpEventCollector.uploadEvents(HttpEventCollector.java:89)
    at com.splunk.dbx.server.dbinput.recordwriter.HecEventWriter.writeRecords(HecEventWriter.java:36)
    at org.easybatch.core.job.BatchJob.writeBatch(BatchJob.java:203)
    at org.easybatch.core.job.BatchJob.call(BatchJob.java:79)
    at org.easybatch.extensions.quartz.Job.execute(Job.java:59)
    at org.quartz.core.JobRunShell.run(JobRunShell.java:202)
    at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:573)

Any ideas of workaround besides downgrading (by the way, the official downgrade would have to be to 2.4.1, not acceptable)

Any help?

Thank you in advance

tiagofbmm · ‎06-15-2018

The bug is clear now: when I edit the url for the jdbc connection string, Splunk has the host field on the left empty (as it should as everything is done on the customized one). The problem is that Splunk is using that empty host field as the one for http event collector from databases, and as it is a required field, hence the error. The workaround now is to set that field with the host before editing the string and leave it there.

View solution in original post

a_salikov · ‎10-11-2018

Hello,

Please, can you help me to solve problem with Splunk DB Connect:
Install Splunk 7.1.3 and DB Connect 3.1.3.
Select data from Oracle DB in SQL Explorer
Set cron = * * * * *, sourcetype = db, index = oracle.
Search index = oracle -> empty result.
Also we tried to downgrade/upgrade core and app versions: Splunk 7.1.3 - > Splunk Db Connect 3.1.3, Splunk 7.1.3 - > Splunk Db Connect 2.4.1, Splunk 6.6.7 - > Splunk Db Connect 3.1.3, Splunk 6.6.7 - > Splunk Db Connect 2.4.1.
We see db, view and table in DbConnect and select data from Oracle in SQL Explorer. Why data from query don’t write into index?

Best regards, Ablay Salikov.

tiagofbmm · ‎06-15-2018

The bug is clear now: when I edit the url for the jdbc connection string, Splunk has the host field on the left empty (as it should as everything is done on the customized one). The problem is that Splunk is using that empty host field as the one for http event collector from databases, and as it is a required field, hence the error. The workaround now is to set that field with the host before editing the string and leave it there.

chrisboy68 · ‎08-14-2018

OMG thank you. Been banging my head for days trying to figure out what was going on!!!

Chris

apair · ‎06-15-2018

Hello

I have the same problem too :
https://answers.splunk.com/answers/661463/why-is-the-splunk-db-connect-not-indexing-data.html

I think it's a bug in version 3.1.3...

Splunk DBConnect Can't write data

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases