Hi: I'm trying to get SplunkDB Connect app to pull data from an Oracle database into Splunk.
Working:
Database Connection
DB Info
DB Query with the SQL statement I'm using
Not Working: When I go to setup the query to actually pull data into a Splunk index, I cannot seem to get anything to go into the index from the query.
What I've done:
Created a new index for the data
Specify the SQL query in a new database input
Scheduled query
New index in the spunk app & new index in the dbx app
Every 1/2 hour & auto
dump (not tailed, wanted to keep it simple to start)
no source type & tried with a new sourcetype
Output formatting:
Key-Value format
Output timestamp with proper field and value & no output timestamp specified
Before restarting Splunk after specifying the new index, I've gotten this message, with different variations on the information contained within based on what I've chosen on the query: This message has seemed to go away after rebooting Splunk
earch peer <splunkindexer> has the following message: received event for unconfigured/disabled/deleted index='dbxtest' with source='source::dbmon-dump://<connectionname>' host='host::<databaseconnection>' sourcetype='sourcetype::dbmon:kv' (3 missing total)
Things I have not tried:
Custom source type, don't see the point
Look-up table, again, don't see the point
Maybe I'm looking at this the wrong way, but I'm trying to test whether there is data in the index by searching for index=dbxtest range:all time from within the splunk dbx app
Thank you for any information/assistance you could provide.