Hello Experts,
Recently our client decided to ingest data from their database servers to the existing Splunk environment. The existing Splunk environment is like this:
3 Search Heads under a load balancer (no cluster)
4 Indexers (no cluster)
3 Heavy Forwarders
We have already installed Splunk DB Connect 3 in one of the heavy forwarders and we can clearly see the query result from the target database using SQL Explorer. We have also made sure that the HTTP Event Collector port is not blocked or anything so no bind port error in splunkd.log. Several data inputs have also been created. Unfortunately, we still don't know how to forward the events to the indexers.
Here is the outputs.conf we created in $SPLUNK_HOME/etc/system/local:
[default]
defaultGroup = hf_load_balance
[tcpout:hf_load_balance]
compressed = true
server = <idx1>:9997, <idx2>:9997, <idx3>:9997, <idx4>:9997
sslCertPath = /apps/splunk/etc/auth/servercert.pem
sslPassword = $1$bqkDNmCaJfWrxZxBi5bW
sslRootCAPath = /apps/splunk/etc/auth/CoreCA.pem
sslVerifyServerCert = true
And here is one of the inputs created (configuration from db_inputs.conf):
[UXP_Track_Logs]
connection = UXP
description = UXP DB Track_Logs Table
disabled = 0
index = app_uxpdb
index_time_mode = dbColumn
input_timestamp_column_number = 2
interval = 0,15,30,45 * * * *
mode = rising
query = <query for UXP>
query_timeout = 300
sourcetype = uxptracklogs
tail_rising_column_number = 2
The index app_uxpdb exists in all target indexers.
From DB Connect 3 documentation, only indexes.conf configuration is mentioned but not the way to forward the data. Can somebody please guide me for this one?
Thank you.
... View more