Hello all,
I'm new to Splunk DB Connect and SQL in general but got a new input to work initially with a rising column.
The rising column is a unique field that increments each time a new record is added to the table. Example of my query with the checkpoint:
WHERE recordNumber > ?
ORDER BY recordNumber ASC
For some reason it stopped indexing new events after I initially set it up. I manually changed the checkpoint value in the inputs and then it will index new data. But then again it'll stop indexing new data the next day - the cron schedule is set to run nightly. So far it's missing 2 days worth of data.
So I checked the checkpoint data in the directory below and it seems to keep reverting back to the value of 999....The value I manually changed was to 1551. Note: I changed the cron schedule to test indexing and it worked fine when I manually changed the checkpoint value.
SPLUNK_HOME/var/lib/splunk/modinputs/server/splunk_app_db_connect/example_input
{"value":"0","appVersion":"3.1.3","columnType":12,"timestamp":"2019-10-02T13:34:07.038-04:00"}
{"value":"0","appVersion":"3.1.3","columnType":12,"timestamp":"2019-10-03T10:30:17.758-04:00"}
{"value":"501","appVersion":"3.1.3","columnType":12,"timestamp":"2019-10-03T11:25:00.369-04:00"}
{"value":"999","appVersion":"3.1.3","columnType":12,"timestamp":"2019-10-03T11:25:00.460-04:00"}
{"value":"1551","appVersion":"3.1.3","columnType":12,"timestamp":"2019-10-08T11:27:42.874-04:00"}
{"value":"910","appVersion":"3.1.3","columnType":12,"timestamp":"2019-10-08T11:30:00.391-04:00"}
{"value":"999","appVersion":"3.1.3","columnType":12,"timestamp":"2019-10-08T11:30:00.421-04:00"}
Not sure if I am doing something wrong, do any of you see anything wrong that I'm doing? Thanks for your time.
↧