Hi,
In our Production environment we have one Search head and two indexers, all the instance are running in Splunk Version 7.1.1. Recently we faced a issue in one of our indexer like DB_Inputs automatically removed from the Splunk DB Connect App 2.4.0 Version. As our Vendor suggested we upgraded the DB Connect APP to 3.1.4. But now we are facing a different issue, whenever the Splunk DB Connect app 3.1.4 is enabled the Internal logs are not updating? is there any limitation? kindly suggest?
My guess is that you are trying to search the _internal index from within the DB Connect app context, which does not (generally) have permissions to do so.
Change your search context to the actual "search" app and it should work for you just fine. Enabling DB Connect does not cause the search head to stop forwarding internal logs.
Hi,
On which instance DB connect in installed, Search Head OR Indexer? There are no such limitation that when you enable DB connect, splunk will stop generating/sending internal logs.