All Apps and Add-ons

Splunk DB connect: How to configure the database connection in a search head cluster?

Harishma
Communicator

Hi All ,

After installing Splunk DB Connect via deployer in a search head cluster, should I configure the database connection via deployer UI or any Search Head UI for it to reflect on all Search Heads.
OR is it necessary to individually configure on all Search Heads?

1 Solution

koshyk
Super Champion

Though DBconnect in SHclustering compatible, it is really complicated. Especially if you have Enterprise Security in the cluster it will cause CPU spikes and Splunk support requested to move out DBconnect from a ES SH cluster. Afterwards, I'm using heavy forwarder to pull DB data using DBconnect. So 1st preference is to use a Heavy forwarder or a Standalone Search Head to pull in the data rather than SH cluster.

If you really want to implement within a SH cluster, how we have done is
1. Splunk DBconnect app (setup in Staging Server and push it via deployer). There should NOT be any changes to this app other than the required driver for the database.
2. Create a new app. (MYAPP_dbconnect_inputs). Configure all your inputs in this app in staging server and push it via deployer to SH members. Ensure you put a stanza to have disabled = false, so you can toggle if something goes wrong.

This way, you can control all your inputs via a single app (rather than updating it to the local of the official app). Also in a SH cluster the SH members receive the configuration into the "default" directory !! This makes complex as the original apps config will get mixed with your changes if you are using the original splunk's app.

View solution in original post

koshyk
Super Champion

Though DBconnect in SHclustering compatible, it is really complicated. Especially if you have Enterprise Security in the cluster it will cause CPU spikes and Splunk support requested to move out DBconnect from a ES SH cluster. Afterwards, I'm using heavy forwarder to pull DB data using DBconnect. So 1st preference is to use a Heavy forwarder or a Standalone Search Head to pull in the data rather than SH cluster.

If you really want to implement within a SH cluster, how we have done is
1. Splunk DBconnect app (setup in Staging Server and push it via deployer). There should NOT be any changes to this app other than the required driver for the database.
2. Create a new app. (MYAPP_dbconnect_inputs). Configure all your inputs in this app in staging server and push it via deployer to SH members. Ensure you put a stanza to have disabled = false, so you can toggle if something goes wrong.

This way, you can control all your inputs via a single app (rather than updating it to the local of the official app). Also in a SH cluster the SH members receive the configuration into the "default" directory !! This makes complex as the original apps config will get mixed with your changes if you are using the original splunk's app.

Harishma
Communicator

Hi @koshyk ,

Thankyou so much for your inputs.

  1. Actually we currently have DB Connect V1 app in a standalone SH and not part of cluster. We intend to Upgrade it and migrate it to the SH Cluster. We do not have ES in the cluster so I believe we may not face CPU Spikes. Is there a neccessity to still create a different app ?MYAPP_dbconnect_inputsPlease correct me if I'm wrong here.

  2. Also everytime I add a new identity/DB , can I add it in the deployer and push to all SHs via the official app OR if I add in any one SH will it reflect in remaining SHs of the cluster?

0 Karma

koshyk
Super Champion
  1. The good thing with you having an separate app is, you can isolate in various environments. So you can have different inputs/identities in your DEV, TEST & PROD without touching the core DBconnect app.
  2. If you build in staging server and push it via deployer, all the SH captain will get a copy and it replicates across rest of the SH members. So all SH's will have same bundle and replicates and captain allocates which SH to pull data at any given time.

Please vote/accept if you find the answers useful.cheers

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...