Hi, I am attempting to use dbxquery to fetch and transform the results of an extended events session from MSSQL Server 2016 which has been saved to a file. I have three saved searches which follow the same format, two of which work and one which doesn't, and behaves quite peculiarly. When I attempt to run the query below, I get a ChunkedExternProcessor error: 07-28-2020 23:32:01.824 ERROR ChunkedExternProcessor - Failed attempting to parse transport header: ,,,,,,,,,,\r\r
07-28-2020 23:32:01.924 ERROR ChunkedExternProcessor - Error in 'dbxquery' command: Invalid message received from external search command during search, see search.log. | dbxquery query="SELECT event_data = CONVERT(XML, event_data) INTO #<TempTableName> FROM sys.fn_xe_file_target_read_file('<PathToLogFile>/LogFile*',null,null,null) SELECT name = event_data.value(N'(event/@name)[1]', N'varchar(max)'), errorNumber = event_data.value(N'(event/data[@name="error_number"]/value)[1]', N'varchar(max)'), severity = event_data.value(N'(event/data[@name="severity"]/value)[1]', N'varchar(max)'), message = event_data.value(N'(event/data[@name="message"]/value)[1]', N'varchar(max)'), hostname = event_data.value(N'(event/action[@name="client_hostname"]/value)[1]', N'varchar(max)'), username = event_data.value(N'(event/action[@name="username"]/value)[1]', N'varchar(max)'), [sql] = event_data.value(N'(event/action[@name="sql_text"]/value)[1]', N'varchar(max)'), session_id = event_data.value(N'(event/action[@name="session_id"]/value)[1]', N'varchar(max)'), query_hash = event_data.value(N'(event/action[@name="query_hash"]/value)[1]', N'varchar(max)'), database_id = event_data.value(N'(event/action[@name="database_id"]/value)[1]', N'varchar(max)'), client_app_name = event_data.value(N'(event/action[@name="client_app_name"]/value)[1]', N'varchar(max)') FROM #<TempTableName>" connection="<My connection name>" I am confused why my other queries, which follow this same format work, yet this one returns this error. If I reduce the number of fields to just 'name', the error changes to one of two possibilites: 07-28-2020 23:36:16.429 ERROR ChunkedExternProcessor - stderr: Traceback (most recent call last):
07-28-2020 23:36:16.429 ERROR ChunkedExternProcessor - stderr: File "C:\Program Files\Splunk\etc\apps\splunk_app_db_connect\bin\dbxquery_bridge.py", line 90, in <module>
07-28-2020 23:36:16.429 ERROR ChunkedExternProcessor - stderr: main()
07-28-2020 23:36:16.429 ERROR ChunkedExternProcessor - stderr: File "C:\Program Files\Splunk\etc\apps\splunk_app_db_connect\bin\dbxquery_bridge.py", line 86, in main
07-28-2020 23:36:16.429 ERROR ChunkedExternProcessor - stderr: bridge.connect()
07-28-2020 23:36:16.429 ERROR ChunkedExternProcessor - stderr: File "C:\Program Files\Splunk\etc\apps\splunk_app_db_connect\bin\dbxquery_bridge.py", line 38, in connect
07-28-2020 23:36:16.429 ERROR ChunkedExternProcessor - stderr: self.read_from_dbxquery_server_write_to_stdout()
07-28-2020 23:36:16.429 ERROR ChunkedExternProcessor - stderr: File "C:\Program Files\Splunk\etc\apps\splunk_app_db_connect\bin\dbxquery_bridge.py", line 74, in read_from_dbxquery_server_write_to_stdout
07-28-2020 23:36:16.429 ERROR ChunkedExternProcessor - stderr: data = recv(1024 * 1024)
07-28-2020 23:36:16.429 ERROR ChunkedExternProcessor - stderr: ConnectionAbortedError: [WinError 10053] An established connection was aborted by the software in your host machine or, 07-28-2020 23:37:45.389 ERROR ChunkedExternProcessor - Failed attempting to parse transport header: eported,\r\r
07-28-2020 23:37:45.490 ERROR ChunkedExternProcessor - Error in 'dbxquery' command: Invalid message received from external search command during search, see search.log. The name field should read "error reported" so the 'eported' implies some information is being missed, and the connection is being closed too early, but I am not sure why this would occur. Any ideas? Thanks
... View more