Developing for Splunk Enterprise

DB Connect in a distributed environment

ngcgoon
Explorer

In our environment we have the Search Heads, Forwarders and Indexers. Our indexers are using networked round robin DNS name to index events from the forwarders. We need to start getting events from our databases using the tail-"ing" method for which DB connect is good for. (Can't get it to work consistently) However it is unclear (in the docs) where to install DB connect either on the Search Head or Indexer? If we have pairs of indexers in our DNS indexer name linked, then we get events from sources on both indexers (however not duplicate events).

My guess is if i wanted to index database event lookups using Splunk DB connect, then I would install and setup DB connect on indexer A of B, however put an index name dbEvents on both paired indexers A and B?

Or Place the DB Connect on a search head and create an index name dbEvents on my grouped indexers?

Or should we install DB connect on the search head or forwarders?

Any insight is greatly appreciated.

Thanks!

Tags (2)
0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

Hi,

we've just released DB Connect 1.1, which can now be installed on a search head pool.

app

search head pooling docs

The Heavy Forwarder route works too.

Thanks,
Jack

hemendralodhi
Contributor

Do we have to install App on search head also to query the data? We are using Search head clustering and it is mentioned in doc to go through Heavy Forwarder route as it is not supported with SH clustering.
How I can query the data using HF route?

Thanks
Hemendra

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!