Re: no data from db connect since upgrade to 6.4.3

mraudaschl · ‎09-20-2016

hi all,
since our update from SPLUNK 6.2 to 6.4.3 we are encountering an issue with the data which had been forwarded by DB connect BEFORE the update. This data is not searchable anymore, only new data is visible in Splunk.
However, DB Connect works fine.
Since I am sure the data has not been deleted, what are ways to make the data visible again?
Any help would be appreciated.

sloshburch · ‎04-04-2019

Messages in the splunkd.log on any instance about unable to forward?

mraudaschl · ‎09-20-2016

I know it should, but it doesn't show. earliest searchable data is from 20th of August, but we have input data at least three months before.

lukejadamec · ‎09-20-2016

If your data is there (and it should be), then you can find it with this search.
First, run a search on the DB data and pick a field that only exists in the DB data.
Then run this search over All Time:

index=*   <your field> = *

It should show all of the DB data. Look at the data from prior to the upgrade and see if the index, or sourcetype, or source changed.

no data from db connect since upgrade to 6.4.3

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification