Getting Data In

Splunk DB connect onboarding

blbr123
Path Finder

Hi All,

I have requirement to do splunk DB connect onboarding in a distributed environment, Do I need to install the splunk DB connect in the search head or heavy forwarder?

My second question is can we do the identity creation, connection and input configurations using the configs folders  instead web UI

Labels (3)
Tags (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

as @gcusello said you should install it to hf for using it to get data in. As your HF is outside of SC you could use also GUI if you want to add / modify inputs, connections and identities. I totally agree with @gcusello that it’s much easier to manage with gui than with conf file. If/when you are using only conf files you must add those to local not to default folder like you usually do with your own apps/TAs. This is the way how you can get splunk to crypt password In identity file (haven’t do it in long time, so check that it’s still working)! Otherwise you have db identities with plain text passwords on server file system.

I also suggest you to install DB Connect to search head as it has monitoring/health dashboards. Also if you want to use dbxquery on your SPL, then you need it on SH too.

r. Ismo

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @blbr123,

about the first question, it's the same but usually Heavy Forwarder is used for this role.

About the second question, yes, you can use the conf files, but it's easier to use GUI and I hint to use it, to avoid errors, anyway, you can see at https://docs.splunk.com/Documentation/DBX/3.8.0/DeployDBX/Configurationfilereference

Ciao.

Giuseppe

0 Karma

blbr123
Path Finder

We are using splunk cloud and so we have app specific folders where we generally edit configurations and merge it in git and it's goes to Jenkins, so I cannot do it in web UI

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

as @gcusello said you should install it to hf for using it to get data in. As your HF is outside of SC you could use also GUI if you want to add / modify inputs, connections and identities. I totally agree with @gcusello that it’s much easier to manage with gui than with conf file. If/when you are using only conf files you must add those to local not to default folder like you usually do with your own apps/TAs. This is the way how you can get splunk to crypt password In identity file (haven’t do it in long time, so check that it’s still working)! Otherwise you have db identities with plain text passwords on server file system.

I also suggest you to install DB Connect to search head as it has monitoring/health dashboards. Also if you want to use dbxquery on your SPL, then you need it on SH too.

r. Ismo

0 Karma

blbr123
Path Finder

Great! Thank you so much.

So in order to create the identity, I need database username and password, I got the database username but how I need to request the database password? I mean do I need to request it is it in a encrypted way or direct plain text password?

gcusello
SplunkTrust
SplunkTrust

Hi @blbr123,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: karma Points are appreciated by all the contributors 😉

isoutamo
SplunkTrust
SplunkTrust

You will get that password as a plain text (as any other passwords) from you DB team. 
When you are using GUI, then you are entering it as plain text and splunk will crypt it on the fly before it write it to local identities conf file. But when you are using directly conf files and especially files in default folder then splunk didn’t crypt that password. It will be as a plain text forever in conf file. In same TAs (at least earlier) can crypt that password on local folder when splunk restarts, but not all. For that reason you must check how it is working with DB Connect. If this didn’t work there are some alternative ways to do it based on your installation.

r. Ismo

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @blbr123,

if you're using Splunk Cloud, DB-Connect must be in an Heavy Forwarder.

About the second question, you're free to use the approach you prefer: you have both the ways to configure DB-Connect; in my mind, via GUI it's easier but you're free to use the way you like.

Ciao.

Giuseppe

0 Karma

blbr123
Path Finder

Is it possible to onboarding using the web UI in Splunk Cloud?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @blbr123,

I confirm the thing said by @isoutamo: usually HF are in your infrastructure not in Splunk Cloud.

Usually Splunk best practices hint to put two HFs as concentrators between your infrastructure and Splunk Cloud, so you could use one of them as DB-Connect or use one dedicated.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...