Splunk Cloud Platform

Splunk DB connect: Where to place configurations- in heavy forwarder or on Splunk cloud, and where to get the JRE path?

blbr123
Path Finder

Hi All,

I am working on Splunk cloud classic and got a request to onboard the MySQL server database logs to splunk.

I have gone through the documentation and aware of creating the identity, connection and input.

Q1. where do I place these configurations, in heavy forwarder or on splunk cloud.

Q2.From where do I get the JRE path and where do I install the JDBC drivers?As it's a cloud environment I am quite confused about this and we are not allowed to change any configurations using the web UI everything is done using the configs file in bitbucket.

Q3: How do I setup the server class for this?

Thankyou.

Labels (3)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

A1: I prefer to use HF in onsite. You have more control over it than putting it on SC.

A2: Try to use standard installation on your platform (linux preferred). Then add it via DBX Config GUI. With DBX configuration I prefer to use GUI and then add those to bitbucket or other Git repositories. It will be really hard to add those inputs via bitbucket. Anyhow you must check and test those in additional HF and even then there could be an issue with checkpoints if you are using rising inputs?

A3: I haven't ever use DS to deploy DBX, so I cannot help you. Cannot find quickly if this is even supported way to deploy it or not?

Actually you cannot use DS to deploy it: Although you cannot distribute DB Connect configuration using a Deployment Server, you can distribute indexes.conf files.

A note about indexes

r. Ismo

0 Karma

blbr123
Path Finder

Today I checked the bitbucket and saw that within the non-production folder (which a local repo downloaded from deployment server) there is a folder created for Heavy forwarder to place the configurations for heavy forwarder.

My doubt is if we create the configurations folder for heavy forwarder under the deployment server folder how does it get pushed to heavy forwarder?

Because normally whatever we place in the deployment server folder will go to host with UF agent and deployment server do not capability to push configurations to heavy forwarder.

By the way I see the server class as below:

Dev_heavy_forwarder:app:splunk_app_db_connect.

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Deployment servers do have the capability to push configurations to heavy forwarders.  If the HF is a deployment client and the DS has a server class in which the HF is a member, then the apps in that server class will be downloaded by the HF.  But this is not the way to deploy DBX.

---
If this reply helps you, Karma would be appreciated.
0 Karma

blbr123
Path Finder

@richgalloway  thank you for the response, currently i see this is way they have used to onboard dbx in cluster environment, may I know which way is the best?

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Are you meaning SHC cluster environment or what cluster you are talking about?

It's totally different thing to configure inputs for it and run it as "query mode" in SHC. You shouldn't install it to indexer cluster at all.

In HF side install on input only in one HF, never a HF "cluster" as it haven't any method to keep trans what one node has gotten and distribute that information to another member of "HF cluster". Each node has it's own status information what is current checkpoint for rising inputs.

If you are talking about SHC then you must use Deployer not deployment server! And in SHC you never should run any inputs! You should add those DB identities and Connections on Deployer $SPLUNK_HOME/etc/shcluster/apps/splunk_app_db_connect/local directory. Not default as when you are updating DBX version it will overwrite default folder on Deployer unless you do manual merging of those files!

Basically you could use DS to deploy those files to Deployers shcluster directory but usually DS is used only for deploying apps to deployer itself.

But as you can found from DB Connection instructions (see my previous post), You cannot/shouldn't use DS to deploy it or it's configuration even it can do in technical point of view. It's not a supported configuration!

richgalloway
SplunkTrust
SplunkTrust

A1.  Install DB Connect and define the identity, connection, and input on an on-prem heavy forwarder.

A2. Get the JRE path from the system admin responsible for the HF.  JDBC files go in the documented folder.  Since this is an on-prem server, you should have full access to the file system.

A3. What server class?  Are you trying to deploy DBX using a Deployment Server?  I'm not sure that's possible.

---
If this reply helps you, Karma would be appreciated.
0 Karma

blbr123
Path Finder

When I was checking the bitbucket serverclass file i saw something like 

integratedforwarder:app:splunk_app_dbconnect

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...