I am using an input in Splunk 6.4.3 and Splunk DB Connect 2.3, that makes use of Rising Column in Advanced mode for MySQL.
Indexing occurs correctly, and all goes well until it has finished parsing data and no new data is available.
This occurs on all my inputs (9) and makes my MySQL go up to 90% CPU usage without motive.
When indexing, if I do a show full processlist, it shows search being performed with the rising column value.
But after it has finished the initial index, every time it has to run (specified by interval value set to 60), I notice CPU goes up and my show full processlist indicates that my rising column value is empty: ''.
My Input is:
[mi_input://xxxx_occupancy]
connection = xxxx
index = xxxx_idx
interval = 60
mode = advanced
query = SELECT alert.id AS alert_id,\
alert.timestamp AS alert_timestamp,\
occupancy.occupancy AS occupancy_occupancy,\
barrier.id AS barrier_id,\
barrier.name AS barrier_name,\
barrier.process_id AS barrier_process_id\
FROM \
(SELECT *\
FROM alert\
WHERE alert.id > ?) AS alert\
JOIN occupancy\
ON alert.id=occupancy.alert_id\
JOIN barrier\
ON occupancy.barrier_id=barrier.id\
JOIN process\
ON alert.process_id=process.id\
WHERE process.license_id>1099\
AND process.license_id<1200\
AND process.active=1\
AND barrier.process_id is NOT NULL
source = //xxxx/xxxx_occupancy
sourcetype = xxxx_occupancy
tail_follow_only = 1
tail_rising_column_checkpoint_value = 12081444
tail_rising_column_name = alert_id
ui_query_mode = advanced
disabled = 0
enable_query_wrapping = 1
max_rows = 5000000
output_timestamp_format = epoch
ui_query_schema = NULL
input_timestamp_column_fullname = (002) alert.alert_timestamp.TIMESTAMP
input_timestamp_column_name = alert_timestamp
tail_rising_column_fullname = (001) alert.alert_id.BIGINT
fetch_size = 1000
And show process list query is:
SELECT alert.id AS alert_id,
alert.timestamp AS alert_timestamp,
occupancy.occupancy AS occupancy_occupancy,
barrier.id AS barrier_id,
barrier.name AS barrier_name,
barrier.process_id AS barrier_process_id
FROM
(SELECT *
FROM alert
WHERE alert.id > '') AS alert
JOIN occupancy
ON alert.id=occupancy.alert_id
JOIN barrier
ON occupancy.barrier_id=barrier.id
JOIN process
ON alert.process_id=process.id
WHERE process.license_id>1099
AND process.license_id<1200
AND process.active=1
AND barrier.process_id is NOT NULL
As there are many results, searching without taking into account rising column for:
(SELECT *
FROM alert
WHERE alert.id > '') AS alert
results in unnecessary CPU cycles that should take less than 300ms and take 30 seconds or more.
Any help would be very much appreciated.
NOTE: Didn't have this behaviour in Splunk DB Connect 1.1.6.
Kind regards,
David
↧