Re: DBmon giving error

theouhuios · ‎10-21-2013

Hello

I have a DBconnect input which is working on one environment but its giving error in another environment.

[dbmon-tail://xxx/yyy]
output.format = kv
output.timestamp = true
output.timestamp.column = modifiedTime
query = SELECT to_char(I.SYSMODTIME,'MM/DD/YYYY HH24:MI:SS') as "modifiedTime",to_char(I.OPEN_TIME,'MM/DD/YYYY HH24:MI:SS') as "createdTime",to_char(I.CLOSE_TIME,'MM/DD
/YYYY HH24:MI:SS') as "closedTime",I."NUMBER",I.PROBLEM_STATUS as "status",I.SF_MASTER_INCIDENT_ID as "masterIncidentID",I.SF_IS_MASTER_INCIDENT as "isMasterIncident",I
.AFFECTED_ITEM as "service",I.LOGICAL_NAME as "affectedCI",C."TYPE" as "ciCategory",C.SUBTYPE as "ciSubtype",to_char(I.REOPEN_TIME,'MM/DD/YYYY HH24:MI:SS') as "reopened
Time",I.REOPENED_BY as "reopenedBy",I.ASSIGNMENT as "assignmentGroup",P.CONTACT_NAME as "groupManagerAlias",P.FULL_NAME as "groupManagerName",A.SF_NAME as "groupName",A
.SF_DEPT as "groupDepartment",A.SF_DEPT_AREA as "groupArea",A.SF_DEPT_FUNCTION as "groupFunction",A.SF_DEPT_COMPONENT as "groupComponent",I.ASSIGNEE_NAME as "assignee",
I."COUNT" as "assignmentCount",I.INITIAL_IMPACT as "impact",I.SEVERITY as "urgency",I.PRIORITY_CODE as "priority",I.CATEGORY as "category",I.SUBCATEGORY as "subcategory
",I.PROBLEM_TYPE as "type",I.CONTACT_NAME as "customer",I.ALTERNATE_CONTACT as "alternateContact",I.LOCATION as "location",to_char(I.SLA_EXPIRE,'MM/DD/YYYY HH24:MI:SS')
 as "nextBreachTime",I.NETWORK_NAME as "hostname",I.SOURCE as "sourceID",I.SERVER_ID as "managementServer",I."GROUP" as "messageGroup",I.APPLICATION_NAME as "applicatio
n",I.SF_RECOMMENDED_KI as "recommendedKIs",I.OPENED_BY as "openedBy",I.UPDATED_BY as "updatedBy",I.CLOSED_BY as "closedBy",I.BRIEF_DESCRIPTION as "briefDescription",  t
o_char(substr(I.ACTION,1,4000)) as "incidentDescription",to_char(substr(I.SF_ORIGINAL_MESSAGE_TXT,1,4000)) as "originalMessage",to_char(substr(I.RESOLUTION,1,4000)) as
"recoveryActions" from smadm.probsummarym1 I, smadm.assignmentm1 A, smadm.contctsm1 P, smadm.device2m1 C  where A."NAME" = I.ASSIGNMENT and P.CONTACT_NAME = A.WDMANAGER
NAME and I.LOGICAL_NAME = C.LOGICAL_NAME {{WHERE $rising_column$ > ?}}
output.timestamp.format = %m/%d/%Y %H:%M:%S
output.timestamp.parse.format = %m/%d/%Y %H:%M:%S
sourcetype = xxxx
tail.rising.column = modifiedTime
index = itsm
interval = 15m

And the Error I get is

2013-10-20 12:34:38.230 monsch1:ERROR:Scheduler - Error while reading stanza=[dbmon-*]: com.splunk.config.SplunkConfigurationException: Invalid dbmon inputs stanza: dbmon-*

Thats th only dbmon input in inputs.conf. Any idea on why it will give error?

ShaneNewman · ‎10-21-2013

Well. I am a but confused by the query aspect of this... Typically if you use a "Tail" command there is no reason to do a query, other then to limit the fields you wish to index. Looks like it needs to be set up as a dump like this one:

[dbmon-dump://xxx/yyy]
disabled = 0
host = somehost
index = someindex
interval = 5 * * * *
output.format = kv
output.timestamp = 1
output.timestamp.column = timestampcolumn
query = SELECT T2.LoadingStateDate, T1.ArchTime, T1.MessageID, T1.MessageSourceSystem, T1.MessageType, T1.MessageCreationTime\r\nFROM [ArchMessage] AS T1 (nolock), [ArchMessageState] AS T2 (nolock)\r\nWHERE T2.LoadingStateDate >= DATEADD(hh,DATEPART(hh,GETDATE())-1,DATEADD(dd,0, DATEDIFF(dd,0,GETDATE())))\r\nAND T2.LoadingStateDate <= DATEADD(ss,-1,DATEADD(hh,DATEPART(hh,GETDATE()),DATEADD(dd,0, DATEDIFF (dd,0,GETDATE()))))\r\nAND T2.LoadingState='9'\r\nAND T2.ErrorID Is NULL\r\nAND T2.BTSInterchangeID=T1.BTSInterchangeID
sourcetype = somesourcetype
table = sometable
output.timestamp.format = "YYYY-MM-dd HH:mm:ss.SSS"

DBmon giving error

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...