All Apps and Add-ons

Splunk DB Connect: where exactly does the indexed data get stored

burwell
SplunkTrust
SplunkTrust

I would like to use Splunk DB Connect to get MySQL data into Splunk. i want the data to go into indexes on our indexers.

So I install the drivers and DB Connect add on on our search head.

The part I am not clear on is how to get the data to our indexers not an index on the search head.

If I run a test query on the search head to pull from MySQL -> Splunk index will that cause the data to get stored on one of the search peers (indexers) or how does that work exactly?

0 Karma
1 Solution

woodcock
Esteemed Legend

That is the dirty little secret about DB Connect: The data that comes in is not licensed. This is why Splunk hobbled dbxquery to limit it to 50K events returned. Splunk either knew (or suspected) that people were using dbquery plus collect to pull in DB data and bypass licensing. Most of my use of dbxquery is ad-hoc and transient and maybe yours is, too. In that case the data disappears with your search (unless, like I said, you pass it to collect to store it into a Summary Index, which again, does NOT get licensed).

View solution in original post

einkebil
Explorer

Hello, to get data collected by your search head, you have to configure it has a heavy Forwarder end load balance incomming data (use apropriate stanza) to balance to your indexers.

my tip : If you have a lot of dbconnect[2] queries, you'd better have to configure the db connect[2] on a dedicated heavyforwarder (with web ui for convenience)

burwell
SplunkTrust
SplunkTrust

I guess I was confused by the DBConnect references to installation in a distributed environment (we use SHC.)

http://docs.splunk.com/Documentation/DBX/2.1.3/DeployDBX/Distributeddeployment

I do want to be able to periodically pull a few tables from a MySQL db to use with my SHC for querying.

Yeah I don't want my Search Heads to to be heavy forwarders.

So if I configure one dedicated heavy forwarder to pull the data from my DB, then no DB Connect needs to be installed on the search heads?

0 Karma

einkebil
Explorer

You probably need dbconnect on your sh if you need it ( by example to use one of the tool provided like direct query )

0 Karma

woodcock
Esteemed Legend

That is the dirty little secret about DB Connect: The data that comes in is not licensed. This is why Splunk hobbled dbxquery to limit it to 50K events returned. Splunk either knew (or suspected) that people were using dbquery plus collect to pull in DB data and bypass licensing. Most of my use of dbxquery is ad-hoc and transient and maybe yours is, too. In that case the data disappears with your search (unless, like I said, you pass it to collect to store it into a Summary Index, which again, does NOT get licensed).

Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...