All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I configure DB Connect Outputs to send data from a search head?

vxb4892
Engager
‎12-31-2018 10:08 AM

I currently have a connection set up from my Splunk search head(SH) in DB Connect to an external database where I'm trying to export the results of a Splunk search. The search works correctlyd. I have both read and write permissions to the relevant database and the target tables, my fields are mapped correctly, and I'm not seeing any errors in my internal db logs. The issue is, however, that despite everything appearing to work on the surface, I'm not seeing any data appear in the DB table as expected.

The data source for the search is indexed via an Http Event Collector connection. The goal is to take this indexed data, perform some aggregate calculations, and then export the result to another Database. I am able to access this index through my SH, but not through my Heavy Forwarder(HF). How can I get this data exported to this database? If it's not possible directly from the SH, then is there a way for me to first send the data to the HF and then establish a DB Connect connection from there?

Any and all help would be much appreciated!

0 Karma
Reply

scc00
Contributor
‎01-14-2019 12:55 PM

How is it configured currently within the SH? Do you have DBConnect installed there? How have you set it up to be forwarded?

0 Karma
Reply

woodcock
Esteemed Legend
‎01-09-2019 05:04 PM

What version of dbconnect are you using? What is your search SPL (or at least the last 2 pipes of it)?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-10-2019 04:46 AM

Have you looked at the search log (via Job Inspector) to see what errors, if any, are reported?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...