Splunk® DB Connect

Deploy and Use Splunk DB Connect

Download manual as PDF

NOTE - Splunk DB Connect version 1.x reached its End of Life on July 28, 2016. Please see the migration information.
This documentation does not apply to the most recent version of DBX. Click here for the latest version.
Download topic as PDF


Note: Modifying inputs.conf file stanzas outside of the DB Connect app, such as in the search app or manager context, is not supported.

# Copyright (C) 2005-2012 Splunk Inc. All Rights Reserved.
# This file contains the database monitor definitions


interval = auto|<relative time expression>|<cron expression>
     * Use to configure the schedule for the given database monitor.
     * Schedule types:
           * auto - The scheduler automatically chooses an interval based on the number of generated results.
           * relative time expression - The number of seconds or a relative time expression.
                * interval = 60 (runs every 60 seconds)
                * interval = 1h (runs every hour)
           * cron expression
                * interval = 0/15 * * * *       (run every 15 minutes) 
                * interval = 0 18 * * MON-FRI * (run every weekday at 6pm)

query = <string>
     * The query option defines the exact SQL query executed against the database

table = <string>
     * If a query is not specified, DBmon automatically creates a SQL query from the given table name. 
        Example: SELECT * FROM <table>.

output.format = [kv|mkv|csv|template]
     * The output format.
     * Format types:
       * kv: Simple key-value pairs.
       * mkv: Multiline key-value pairs. (Each key-value pair is printed on its own line.)
       * csv: CSV-formatted events.
       * template: Specify the generated events using the <output.template> or <output.template.file> options.

output.template = <string>

output.template.file = <string>

output.timestamp = [true|false]
     * Controls whether or not the generated event is prefixed with a timestamp value.

output.timestamp.column = <string>
     * The column of the result set from which the timestamp is fetched. If this is omitted, the monitor execution time
     * is used as the timestamp value.

output.timestamp.format = <string>
     * The format of the output timestamp value expressed as a Java SimpleDateFormat pattern.

output.timestamp.parse.format = <string>
     * Used when the timestamp in the column defined by <output.timestamp.column> is a string value, such as varchar or nvarchar.
     * Lets you define a (SimpleDateFormat) pattern for parsing the timestamp.

output.fields = <list>
     * The fields to print in the generated event.

# A Tail Database monitor remembers the value of a column in the result and only fetches entries with a higher value
# in future executions.


tail.rising.column = <string>
     * A column with a value that is always rising. The best option is to use an auto-incremented value or a sequence. 
     * A creation or last-update timestamp is a good choice.

tail.follow.only = [true|false]
     * If this options is set to true nothing is indexed on the first run (default is false).
     * This only affects the first execution of the monitor. 

dbmon examples

Example: Monitoring a database table.

output.format = kv
output.timestamp = 1
output.timestamp.column = last_update
table = actor
tail.rising.column = actor_id
# both actor_id and last_update are fields in table actor.

Example: Advanced SQL with joins and ORDER BY.

output.format = kv
output.timestamp = 1
query = SELECT A.address_id, A.address, C.city FROM address A, city C WHERE C.city_id=A.city_id {{ AND $rising_column$ > ? }} ORDER BY A.address_id
sourcetype = mysource
tail.rising.column = address_id


Example: Advanced SQL with joins and ORDER BY.

output.format = kv
output.timestamp = 1
output.timestamp.column = last_update
query = SELECT A.address_id, A.address, A.last_update AS last_update, C.city FROM address A, city C WHERE C.city_id=A.city_id ORDER BY A.city_id
sourcetype = mysourcetype


change.hash.algorithm = MD5|SHA256



This documentation applies to the following versions of Splunk® DB Connect: 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.0.11, 1.1, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.2.0, 1.2.1, 1.2.2


The entry _INDEX_AND_FORWARD_ROUTING for selective indexing does not seem efficient, for dbmon-tail. Is it coming in the next versions?
Best regards

March 1, 2016

Hi Vincent. Yes, dbmon-* inputs should support the disabled attribute. If you're having trouble, please contact Splunk Support. Thanks! --Matt

Mtevenan splunk, Splunker
February 11, 2016

Does disabled=0 is supported in this conf file ?

February 9, 2016

Some examples would actually be great. What i see many people including myself are struggling to make it work.

May 3, 2014

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters