All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I configure DB Connect Outputs to send data from a search head?

vxb4892
Engager
‎12-31-2018 10:08 AM

I currently have a connection set up from my Splunk search head(SH) in DB Connect to an external database where I'm trying to export the results of a Splunk search. The search works correctlyd. I have both read and write permissions to the relevant database and the target tables, my fields are mapped correctly, and I'm not seeing any errors in my internal db logs. The issue is, however, that despite everything appearing to work on the surface, I'm not seeing any data appear in the DB table as expected.

The data source for the search is indexed via an Http Event Collector connection. The goal is to take this indexed data, perform some aggregate calculations, and then export the result to another Database. I am able to access this index through my SH, but not through my Heavy Forwarder(HF). How can I get this data exported to this database? If it's not possible directly from the SH, then is there a way for me to first send the data to the HF and then establish a DB Connect connection from there?

Any and all help would be much appreciated!

0 Karma
Reply

scc00
Contributor
‎01-14-2019 12:55 PM

How is it configured currently within the SH? Do you have DBConnect installed there? How have you set it up to be forwarded?

0 Karma
Reply

woodcock
Esteemed Legend
‎01-09-2019 05:04 PM

What version of dbconnect are you using? What is your search SPL (or at least the last 2 pipes of it)?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-10-2019 04:46 AM

Have you looked at the search log (via Job Inspector) to see what errors, if any, are reported?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...