Greetings Splunk Answers,
I am having an issue with the Splunk DB Connect app where database inputs are not indexing.
I'm using dbmon-dump and dbmon-tail to query my DB as data sources. I can see a return of result counts in the dbx.log when the dbmon-dump monitor runs, yet a Splunk search using "source = dbmon-dump://~" does not produce the key-value data from DB table that I am expecting.
There are no issues with the db connection. Running an sql statement in DB query produces the key-value data of my table.
Is anybody experiencing a similar issue with the Splunk DB Connect app? Am I doing this wrong?
Any assistance is appreciated.
Thanks,
ktang
It looks like the DBX app was working all this time... and my searches were wrong.
It looks like the DBX app was working all this time... and my searches were wrong.
Hi ktang,
connection to DB is OK, and dbx.log shows row counts, then next you need to check is the intermediate file is actually created and indexed.
I think DBX actually get inputs through the following directry as batch input.
${SPLUNK_HOME}/var/spool/dbmon/*.dbmonevt
and by default, the batch input for the directory is enabled, but if you manually diable it, probable, splunk won't eat DB input even though java bridge actuary read rows from DBMS.
so the directory is configured as batch input with sinkhole option. That means input file is deleted after index is completed. So you may or may not not see anything under that directory, depending on the timing. As long as that directory is configured and you have not touched the config, then you should be OK.
and, good to hear you see DB Connect is working 🙂
thanks for responding.
The batch input is enabled in my local inputs.conf file.
[batch://$SPLUNK_HOME/var/spool/dbmon/*.dbmonevt]
crcSalt =
I've checked:
${SPLUNK_HOME}/var/spool/dbmon/*.dbmonevt
..no *.dbmonevt files are in the dir.
Looks like the problem is here and has to do with why .dbmonevt files are not seen with batch input enabled..?
Since I haven't got database inputs working, I'm not sure what to expect from the batch input.
Do you have this working? What do you have in
$SPLUNK_HOME/var/spool/dbmon?