All Apps and Add-ons

Why does Splunk DB Connect not forward any event since being in a Search Head cluster?

Gomelsar
Engager

Hi,
I had 1 search head (SH) on which i installed Splunk DB connect everything was working fine.
Recently, i added 2 more SH and put them in a cluster mode.
However, i used the deployer to install Splunk DB Connect on the 2 other SH but since then db connect doesn't forward any data to the indexer cluster. The last event i have is the one sent with the Stand alone SH
I checked that my index is created also that the connection is fine.
Here is log that i have:

2017-05-24T05:01:29+0200 [INFO] [mi_base.py], line 188: action=caught_exception_in_modular_input_with_retries modular_input=mi_input://answers-oab retrying="6 of 6" error=Request failed: Session is not logged in. Traceback (most recent call last): File "/opt/splunk/etc/apps/splunk_app_db_connect/bin/dbx2/mi_base.py", line 177, in run should_execute = runner.pre_run() File "/opt/splunk/etc/apps/splunk_app_db_connect/bin/dbx2/mi_base.py", line 107, in pre_run should_execute = self.clustering_precheck() File "/opt/splunk/etc/apps/splunk_app_db_connect/bin/dbx2/mi_base.py", line 92, in clustering_precheck is_clustering_enabled = shc_cluster_config.is_clustering_enabled() File "/opt/splunk/etc/apps/splunk_app_db_connect/bin/dbx2/splunk_client/shc_cluster_config.py", line 17, in is_clustering_enabled mode = self.content['mode']

I added an outputs.conf on the SH but it doesn't work.
I'm really stuck with this!
Thanks for your help

0 Karma
1 Solution

Gomelsar
Engager

Hello,
I could resolve the error by running the DB input script on the Search head captain.
If you install DB connect in a SH cluster, run your scripts from the captain only.
It's recommanded if you have a large amount of data in your DB connect to use a heavy forwarder instance to manage it.
Hope that helps guys.
Thanks

View solution in original post

0 Karma

Gomelsar
Engager

Hello,
I could resolve the error by running the DB input script on the Search head captain.
If you install DB connect in a SH cluster, run your scripts from the captain only.
It's recommanded if you have a large amount of data in your DB connect to use a heavy forwarder instance to manage it.
Hope that helps guys.
Thanks

View solution in original post

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

Hi @Gomelsar - Did your answer provide a working solution to your question? If yes and you would like to close out your post, don't forget to click "Accept". Thanks!

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!