I'm using DB Connect to input some data from Oracle. I have Splunk installed on a Windows 2016 Server. I cannot seem to get any of my sourcetypes read or used with an input created via DB Connect. No matter what I do, if I run a search from the "Find Events" button of the DB Connect application, then click on "+Extract New Fields", it returns an error: "The events associated with this job have no sourcetype information: ". Every. Single. Time. Sample query:   index=thejoy sourcetype=WHYNOT source=JUSTWORKSERIOUSLY OR source=mi_input://JUSTWORKSERIOUSLY     Interestingly enough, if I run the following query I get the EXACT same results:   index=thejoy source=JUSTWORKSERIOUSLY OR source=mi_input://JUSTWORKSERIOUSLY     I get data back from both of these results, but am unable to extract new fields. I have tried doing the following: *Creating a new Index and assigning it to splunk_app_db_connect *Creating a new Index and assigning it to search *Creating a new SourceType via Settings > SourceTypes and setting it to Searching & Reporting *Creating a new SourceType via Settings > SourceTypes and setting it to Splunk DB Connect *Specified the Application for the Data Input to be DB Connect *Specified the Application for the Data Input to be the Splunk Search *Changing Permissions on DB Connect to allow Everyone to Read/Write *Creating a new user and doing all of the above *In DB Connect, typing a new value for SourceType that doesn't exist so it gets created automatically No matter what I try, I just seem to get the same message about no sourcetype information being available for the job. If I create a new source type via Settings > SourceTypes in the main splunk menu, it doesn't show up in the list for DB Connect (which I understand is a bug). This changes very little, since it's apparently not being used anyways. If I let DB Connect create a new sourcetype, I do not see it appear in the Settings > SourceTypes menu after the DB Input is created and a successful search is executed. Also, when I check the props.conf file located in: C:\Program Files\Splunk\etc\apps\splunk_app_db_connect\local\ my sourcetype is not present at all in the file; it's just an empty file. I'm just simply at a loss here on why this is happening and what to do. I just want my DB Inputs to recognize my sourcetypes. Ultimately, I want to parse my data as it is going into Splunk using a specific source type. I'm at the point where I'm considering doing a fresh install of Splunk. Any help on this extremely frustrating issue would be greatly appreciated. ... View more

I have configured a Database Input in DB Connect to pull in data from an Oracle view. A sample string from one of the events follows: 2023-02-28 15:40:50.760, AUDIT_TYPE="Standard", OS_USERNAME="Administrator", TERMINAL="unknown", DBUSERNAME="RACOON", CLIENT_PROGRAM_NAME="SQL Developer", STATEMENT_ID="978", EVENT_TIMESTAMP="2023-02-28 18:40:50.76", ACTION_NAME="ALTER USER", OBJECT_NAME="SPLUNK", SQL_TEXT="ALTER USER "SPLUNK" DEFAULT ROLE "CONNECT","AUDIT_VIEWER"", SYSTEM_PRIVILEGE_USED="SYSDBA", CURRENT_USER="SYS", UNIFIED_AUDIT_POLICIES="ORA_SECURECONFIG" However, when I run this search the fields are not correctly identified: index=oracle_audit sourcetype=ID source=OracleAuditConnection Specifically, what should be fields like TERMINAL, CLIENT_PROGRAM_NAME, and OS_USERNAME (among many others) are not identified as fields. Additionally, the search is picking up values as fields, that should not be fields at all (often from the SQL_TEXT field). For example, "ACTIONS ALTER ON SPLUNK.BAT" is picked up as a field, rather than a value. I can improve the results a little by using the following: index=oracle_audit sourcetype=ID source=OracleAuditConnection | extract pairdelim="\"{,}" However, it still does not correctly identify all the fields. Nor does it work on the more complicated SQL_TEXT field, which may contain quotations and the equals signs at time. What can I do to successfully have all of my fields extracted? Is there any trick I can do, given that I am using DB Connect? ... View more