I have defined a database input (dump type) with a simple SQL query and a key-value output format. \
The "dbx.log" file shows that the query is running without any problems:
2014-09-19 11:06:08.426 dbx1788:INFO:ExecutionContext - Execution finished in duration=23 ms
2014-09-19 11:06:08.427 monsch2:INFO:Scheduler - Execution of input=[dbmon-dump://DB-SERVER/INPUT_SAMPLE_1] finished in duration=22 ms with resultCount=31 success=true continueMonitoring=true
The Splunk's \spool\dbmon directory has the the right csv_*.dbmonevt files.
Yet I don't see any data when I try to do the search. Even the source type is not there.
Am I missing a step in order for this to work?
Nothing shows up ...
Even when I try source=dbmon-tail://...., there is nothing there.
Splunk does not even recognize this source or sourcetype.
the index that you specified in your database inputs, did you create that index in indexes.conf?
Where can I find that file index.conf?
I have deleted the old database input and created a new one (index = input1).
Here's the the inputs.conf (I have not changed anything there):
[script://./bin/jbridge_server.py]
index = input1
sourcetype = dbx_jbridge
interval = 0
disabled = false
passAuth = splunk-system-user
[script://.\bin\jbridge_server.py]
index = input1
sourcetype = dbx_jbridge
interval = 0
disabled = false
passAuth = splunk-system-user
Are there any files that I need to add that index to?
This is still not working. I got nothing with the search inddex = "input1"
Thanks a lot for your help. I think I'm getting closer.
If you want to create a index as "input1" you have to create it in indexes.conf. More details here
http://docs.splunk.com/Documentation/Splunk/6.1.3/admin/Indexesconf
I am using the deafult index (Splunk Index: index). I suppose that is already defined.
I don't think there is any index which is called as 'index', you can try 'main' index or create your own index and then configure dbinputs for that index .
Thanks, I changed the index to main but sill no luck. Do I need to configure the index I create? Where should I do that? I see the "inputs.conf". Is that the one?
After you change the index to main, you have to make sure new events are returned for your query. I would suggest creating a new database inputs rather than modifying the existing one.
Did you try just with the source filter and see?
source will be your dbmon input like below
source=dbmon-tail://*
Sometime you can get problems with license restrictions or can define index by default, if so, you could check main index.
In addition, check Activity->jobs.
Thanks ... I don't see any license alerts or violations and the volume that I have used today is way below the allowed daily volume. I checked "Activity->jobs", but I could not see any jobs there.