Developing for Splunk Enterprise

DB Connect in a distributed environment


In our environment we have the Search Heads, Forwarders and Indexers. Our indexers are using networked round robin DNS name to index events from the forwarders. We need to start getting events from our databases using the tail-"ing" method for which DB connect is good for. (Can't get it to work consistently) However it is unclear (in the docs) where to install DB connect either on the Search Head or Indexer? If we have pairs of indexers in our DNS indexer name linked, then we get events from sources on both indexers (however not duplicate events).

My guess is if i wanted to index database event lookups using Splunk DB connect, then I would install and setup DB connect on indexer A of B, however put an index name dbEvents on both paired indexers A and B?

Or Place the DB Connect on a search head and create an index name dbEvents on my grouped indexers?

Or should we install DB connect on the search head or forwarders?

Any insight is greatly appreciated.


Tags (2)
0 Karma

Splunk Employee
Splunk Employee


we've just released DB Connect 1.1, which can now be installed on a search head pool.


search head pooling docs

The Heavy Forwarder route works too.



Do we have to install App on search head also to query the data? We are using Search head clustering and it is mentioned in doc to go through Heavy Forwarder route as it is not supported with SH clustering.
How I can query the data using HF route?


Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!