A Splunk query successfully returns data when executed using the Test Query function in the Integration Wizard (IW) but fails when running its IW job. Indications of failure include the following:
RiskFabric_IW_DataSourceQueryID_<ID>
) will be 'Failed'USE RiskFabric;
GO
SELECT DataSourceQueryName,
DataSourceQueryDescription,
JobName
FROM dbo.IW_DataSourceQuery AS dsq
INNER JOIN dbo.LinkedServers AS ls
ON dsq.LinkedServerID = ls.LinkedServerID
WHERE LinkedServerTypeID = 32;
GO
RiskFabric_IW_DataSourceQueryID_<ID>
) will be 'Failed'[1:ERROR] SplunkApi.Login() Error while executing Login System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond <IP-address>:<port-number>
[1:ERROR] SplunkApi.Login() Error while executing Login
System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it <IP-address>:<port-number>
Version : 6.x
Component : Splunk Import Utility
Topology : Two- or three-server (tier) architecture in which Internet Information Services (IIS) and Microsoft SQL Server (MSSQL) are not co-hosted on the same server
The Splunk server's firewall has been configured to allow connections from the IIS server but not from the MSSQL server.
The Test Query function in ICA initiates a Splunk search through an API call directly from the IIS server, whereas data source queries are initiated through an IW job that executes ICA's Splunk Import Utility. The Splunk Import Utility is installed by default with ICA's Database Utilities on the MSSQL server.
Create a rule on the Splunk server's firewall to allow connections from the MSSQL server. The default Splunk REST API port is 8089
.