Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to install Splunk DB on search heads, and is it required to have Splunk indexing?

sebdon81
Engager
‎09-30-2022 01:01 PM

Dear community, I am new to Splunk DB and I am trying to understand a few things:

Context: I am trying to use Splunk DB as an interface for my data stored in Hudi or HDFS or Cassandra. I want to give the Splunk DB interface which can query this data and returns this date to a Splunk environment.

I have a few questions:

- I read that it is recommended to install Splunk DB on the heavy forwarder. If we only have access to the research head, is it possible to install it on search heads?

- in terms of indexing, is it required to have the Splunk indexing, or I can use the indexing of the other database?

- overall, my use cases will use Slunk DB just as an interface.

Thanks a lot

 

Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-03-2022 08:25 AM

Hi @sebdon81,

in a distributed architecture, usually Search Heads makes the Search Head role not also the indexer.

For this reason in my opinion this isn't a good idea.

Anyway, sending data to indexers you have them available for searches, so, why do you want also a local copy? in addition, paying twice the license?

if one answer solves your need, please accept one answer for the other people of Community or tell me how I can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

View solution in original post

0 Karma
Reply
Solved! Jump to solution

sebdon81
Engager
‎10-01-2022 05:17 PM

Hello @gcusello ,

First thanks a lot for taking the time to answer me. Very much appreciated.

I just wanted to be sure we are talking about the same software. In my question, I was referring to this software:

https://splunkbase.splunk.com/app/2686

Splunk DB Connect is a generic SQL database extension for Splunk that enables easy integration of database information with Splunk queries and reports. Splunk DB Connect supports DB2/Linux, Informix, MemSQL, MySQL, AWS Aurora, Microsoft SQL Server, Oracle, PostgreSQL, AWS

Is it the same think you are talking about?

 

Thanks a lot

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-01-2022 10:50 PM

Hi @sebdon81,

ok, sorry for the misunderstanding but is frequent for new users confusing Splunk with a DB!

Anyway, as I said, DB Connect is an app to extract data from a database and save extraction results in Splunk, It isn't efficient for on line extractions.

The usual use is to schedule an extraction using a query from one or more table of a database.

About which database to use, this depends on the jdbc driver available, here you can find the supported database list: https://docs.splunk.com/Documentation/DBX/3.10.0/DeployDBX/Installdatabasedrivers#Supported_database...

In this link there's all the useful documentation https://docs.splunk.com/Documentation/DBX/3.10.0/DeployDBX/AboutSplunkDBConnect, and in the YouTybe Splunk Channel, you can also find some useful video.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

sebdon81
Engager
‎10-03-2022 08:01 AM

@gcusello thanks again.

One more question: do you know if we can use local indexing on the search index?

Since I only have access to the search index, I wanted to be sure that I can move the data to Splunk and have local index.

Thanks for all your help.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-03-2022 08:25 AM

Hi @sebdon81,

in a distributed architecture, usually Search Heads makes the Search Head role not also the indexer.

For this reason in my opinion this isn't a good idea.

Anyway, sending data to indexers you have them available for searches, so, why do you want also a local copy? in addition, paying twice the license?

if one answer solves your need, please accept one answer for the other people of Community or tell me how I can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-04-2022 08:54 AM

Hi @sebdon81,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-30-2022 10:57 PM

Hi @sebdon81,

I think that there's some misunderstanding in your question:

at first the Spluk name is "Splunk Enterprise" and not "Splunk DB" also because Splunk isn't a DB! Splunk is a search engine, you have to see it as Google more than a database.

In second time, Splunk could work as an interface with external systems, but it doesn't work in this way, also because is should be very slow and less performant than other tools: it can ingest data from these data source but it isn't a querying interface.

In few words, it works in this way:

  • it collects your data from every kind of source, from text files to mainframe's database tables,
  • it parses and indexes them storing data in some indexes,
  • then it makes available this data for every kind of search, structured (using extracted fields) or not structured (full text search).

As I said, if you want to use it to search data from external sources (Hudi or HDFS or Cassandra) you have to ingest them in Splunk and then search in these data, not in the original sources.

Anyway, answering to your questions:

  • I read that it is recommended to install Splunk DB on the heavy forwarder. If we only have access to the research head, is it possible to install it on search heads?
    • in a Splunk architecture there are many components: indexers to index data, Search Heads to access them, Heavy Forwarders for some special data extrations, Universal Forwarders as an agent to extract data from servers,
    • you can also collapse more roles in the same machine, also all the roles (except UF),
    • so, it's better to use an Heavy Forwarder to extract data from your environment, but then data are stored and used in the other roles,
    • as I said, if you want, you can use one machine for more roles.
  • in terms of indexing, is it required to have the Splunk indexing, or I can use the indexing of the other database?
    • as I said, it's better to index data inside Splunk otherwise performances are too low,
    • this means that you have to pay for the license that is countered in terms or daily indexed data,
    • as I said it isn't a database, but you can extract data from external databases
  • overall, my use cases will use Splunk DB just as an interface.
    • As I said, you must review your design, engaging a Splunk Architect!

I hint to see in the YouTube Splunk Channel some video that describes as Splunk works.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...