Splunk® DB Connect

Deploy and Use Splunk DB Connect

This documentation does not apply to the most recent version of Splunk® DB Connect. For documentation on the most recent version, go to the latest release.

db_inputs.conf.spec

[<name>]
description = <value>
# optional
# Description for this lookup

interval = <value>
# required
# interval to fetch data from DB and index them in Splunk
# It could be a number of seconds or a cron expression

index = <value>
# optional
# index to store events imported in Splunk
# If not specified default index is used

source = <value>
# optional
# source associated to events indexed
# By default, the stanza name will be used

sourcetype = <value>
# required
# source type associated to events indexed

host = <value>
# optional
# host associated to events indexed

mode = (batch|advanced)
# required
# Operational mode. batch or advanced.

connection = <value>
# required
# Indicates the database connection to work on.

query = <value>
# required
# SQL statement to retrieve data from remote database connection.

query_timeout = <int>
# optional
# the max execution time of a SQL, the default is 30 seconds.

max_rows = <int>
# optional
# the max rows of data retrieval. the default is all (unlimited).

fetch_size = <int>
# optional
# The number of rows to return at a time from the database. The default is 300.

batch_upload_size = <int>
# optional
# Number of rows to be uploaded to HEC in one batch.  Default is 1000.



tail_rising_column_name = <value>
# optional if batch mode
# at tail mode, the rising column is the column which is always rising as the checkpoint of the tail loading.

tail_rising_column_fullname = <value>
# optional if batch mode
# fullname of input tail rising column, currently this value is used by front end only.

tail_rising_column_number = <int>
# optional if batch mode
# at tail mode, the position of rising column in the data loading.



input_timestamp_column_name = <value>
# optional
# the input timestamp column name, the data of this column will be the event time. If not set, dbinput will use the current timestamp as the event time.

input_timestamp_column_fullname = <value>
# optional
# fullname of input timestamp column, currently this value is used by front end only.

input_timestamp_column_number = <int>
# optional
# the timestamp column number at the position of the query.


input_timestamp_format = <value>
# optional
# specify the format of input timestamp column, in JavaSimpleDateString format.


max_single_checkpoint_file_size = <int>
# optional
# Max checkpoint file size before archiving checkpoint file in bytes.  Default is 10MB, max is 100MB.



ui_query_mode = (simple|advanced)
# optional
# specify whether the ui should use simpple mode or adanced mode for SQL queries

ui_query_catalog = <value>
# optional
# in simple mode, this value will be pre-populated into the catalog dropdown

ui_query_schema = <value>
# optional
# in simple mode, this value will be pre-populated into the schema dropdown

ui_query_table = <value>
# optional
# in simple mode, this value will be pre-populated into the query dropdown

Example

[test_input]
interval = 3600
index = main
sourcetype = dummy_type
mode = batch
connection = test_connection
query = SELECT * FROM `sakila`.`actor`
max_rows = 100
ui_query_catalog = sakila
ui_query_mode = simple
ui_query_schema = NULL
ui_query_table = actor


[test_advanced_input]
interval = 3600
index = main
sourcetype = dummy_type
mode = advanced
connection = test_connection
query = SELECT * FROM `sakila`.`actor` where actor_id >= ? order by actor_id
max_rows = 100
ui_query_catalog = sakila
ui_query_mode = advanced
ui_query_schema = NULL
ui_query_table = actor
tail_rising_column_name = actor_id
Last modified on 19 June, 2017
db_connections.conf.spec   db_outputs.conf.spec

This documentation applies to the following versions of Splunk® DB Connect: 3.0.0, 3.0.1, 3.0.2, 3.0.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters