All Apps and Add-ons

How to send DBX Input results on HF to external (remote) index/indexer

splunk_svc
Path Finder

Hi Splunkers.
We currently have a distributed/clustered setup with separate Indexers and HFs.

One of the HFs has the DB Connector installed on it.
This is currently working in so far as we are able to successfully produce results from a configured DB Input.
We are trying to get this HF to forward DB query results to a remote indexer. i.e. we are not storing any data locally on the HF.

All the HFs (including the one with the DB Connector) have the same forwarder config pointing to the indexers.
Despite this we can't get this HF to forward the output from the DB input to the Indexers.

I notice when configuring the DB Input in the DBX, the source, sourcetype and index dropdowns are populated with local options but let you supply your own values for these.

Note:

  • The index we have configured for the DB input exists on the remote indexers.
    The config screen does however display the following message when providing the index name in the config:

    The index does not exist in this instance. Please create the index or make sure the index exists in other Splunk instances.

  • The forwarding config for this HF points to the indexers. It's the same forwarding config running on our other HFs which is working correctly.

Is there anything else we need to do get this DBX instance successfully forwarding to the remote indexers?

Thanks.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi @splunk_svc,

As you are sending data from HF to Distributed Indexer but DBX app is not displaying indexes which are present on Indexers so here you need to create those indexes on HF, HF will not store any data on those indexes on HF itself but still HF require those blank indexes.

I hope this helps.

Thanks,
Harshil

0 Karma

splunk_svc
Path Finder

Have done some further digging.
I've been able to manually get some test data from this HF to the indexers via the "add data" option from the HF's web console (so I know the general forwarding config on the HF is correct)

I see this test data when I run a query from the SH but can't get any data produced by the DB Connector itself to arrive at the forwarders.

For those people running a DB Connector on a HF with distributed indexers, what did you have to do to the the results of the DB input to make it the the indexers.

0 Karma

splunk_svc
Path Finder

It seems unless you add the index manually by editing the config file, only local indexes are listed in the configuration dropdown.

i.e. the dropdown doesn't let you manually type in an index name that only exists on a remote indexer.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...