I had 1 search head (SH) on which i installed Splunk DB connect everything was working fine.
Recently, i added 2 more SH and put them in a cluster mode.
However, i used the deployer to install Splunk DB Connect on the 2 other SH but since then db connect doesn't forward any data to the indexer cluster. The last event i have is the one sent with the Stand alone SH
I checked that my index is created also that the connection is fine.
Here is log that i have:
2017-05-24T05:01:29+0200 [INFO] [mi_base.py], line 188: action=caught_exception_in_modular_input_with_retries modular_input=mi_input://answers-oab retrying="6 of 6" error=Request failed: Session is not logged in. Traceback (most recent call last): File "/opt/splunk/etc/apps/splunk_app_db_connect/bin/dbx2/mi_base.py", line 177, in run should_execute = runner.pre_run() File "/opt/splunk/etc/apps/splunk_app_db_connect/bin/dbx2/mi_base.py", line 107, in pre_run should_execute = self.clustering_precheck() File "/opt/splunk/etc/apps/splunk_app_db_connect/bin/dbx2/mi_base.py", line 92, in clustering_precheck is_clustering_enabled = shc_cluster_config.is_clustering_enabled() File "/opt/splunk/etc/apps/splunk_app_db_connect/bin/dbx2/splunk_client/shc_cluster_config.py", line 17, in is_clustering_enabled mode = self.content['mode']
I added an outputs.conf on the SH but it doesn't work.
I'm really stuck with this!
Thanks for your help
I could resolve the error by running the DB input script on the Search head captain.
If you install DB connect in a SH cluster, run your scripts from the captain only.
It's recommanded if you have a large amount of data in your DB connect to use a heavy forwarder instance to manage it.
Hope that helps guys.