Getting Data In

Splunk DB Connect: Install on SQL Server itself?

jasongb
Path Finder

I've been surfing the documentation for Splunk DB Connect, and can't find any indication that I need to install anything on my SQL server to utilize Splunk DB Connect.

Is it the case that all installations for drivers, etc., need to take place on the Splunk infrastructure? It seems to me that all you need on the client (e.g., heavy forwarder) are the connection information, valid credentials, and the necessary database drivers.

If a heavy forwarder has those things, it can connect to the SQL server directly, without any additional changes or installs on that SQL server - correct?

Labels (2)
Tags (2)
0 Karma

Roy_9
Motivator

I have installed it on the Heavy forwarder along with jTDS drivers and created inputs and connections using a sql service account, In my case it worked only with jTDS driver.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

it depends on SQL Server version which JDBC driver you must use. In our cases it works also on MS own drivers. See compatibility from here: https://docs.splunk.com/Documentation/DBX/3.5.1/DeployDBX/Installdatabasedrivers#Supported_databases

r. Ismo

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

You must install Splunk DB Connect, along with the associated JDK and drivers, on  a Splunk instance - preferably a heavy forwarder.  Don't install DB Connect on your SQL server unless you already have a Splunk instance there.

---
If this reply helps you, Karma would be appreciated.
0 Karma

isoutamo
SplunkTrust
SplunkTrust

As @richgalloway said you should install it on HF and actually keep it active only in one HF at time. If there is need to migrate it to second HF you must copy also those status files which keep count what events it has gotten already. That for the input/ingesting side.

Over that I suggest you also install it to SH/SHC layer to monitoring those inputs easier as DBX has quite nice dashboards for that. Also if you need to do dbqueries or use dblookups you must install it to SH-layer. BUT don't use those nodes/installations as getting data in to splunk, HFs are for that in distributed environment.

In personally I don't install it to SQL server node even I have HF there already. It's better to keep it on dedicated HF which has used for inputs. And especially if you SQL Server is HA/Cluster, you definitely must install it to another host.

r. Ismo

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...