Getting Data In

Splunk DB connect onboarding

Path Finder

Hi All,

I have requirement to do splunk DB connect onboarding in a distributed environment, Do I need to install the splunk DB connect in the search head or heavy forwarder?

My second question is can we do the identity creation, connection and input configurations using the configs folders  instead web UI

Labels (3)
Tags (1)
0 Karma
1 Solution



as @gcusello said you should install it to hf for using it to get data in. As your HF is outside of SC you could use also GUI if you want to add / modify inputs, connections and identities. I totally agree with @gcusello that it’s much easier to manage with gui than with conf file. If/when you are using only conf files you must add those to local not to default folder like you usually do with your own apps/TAs. This is the way how you can get splunk to crypt password In identity file (haven’t do it in long time, so check that it’s still working)! Otherwise you have db identities with plain text passwords on server file system.

I also suggest you to install DB Connect to search head as it has monitoring/health dashboards. Also if you want to use dbxquery on your SPL, then you need it on SH too.

r. Ismo

View solution in original post

0 Karma


Hi @blbr123,

about the first question, it's the same but usually Heavy Forwarder is used for this role.

About the second question, yes, you can use the conf files, but it's easier to use GUI and I hint to use it, to avoid errors, anyway, you can see at



0 Karma

Path Finder

We are using splunk cloud and so we have app specific folders where we generally edit configurations and merge it in git and it's goes to Jenkins, so I cannot do it in web UI

0 Karma



as @gcusello said you should install it to hf for using it to get data in. As your HF is outside of SC you could use also GUI if you want to add / modify inputs, connections and identities. I totally agree with @gcusello that it’s much easier to manage with gui than with conf file. If/when you are using only conf files you must add those to local not to default folder like you usually do with your own apps/TAs. This is the way how you can get splunk to crypt password In identity file (haven’t do it in long time, so check that it’s still working)! Otherwise you have db identities with plain text passwords on server file system.

I also suggest you to install DB Connect to search head as it has monitoring/health dashboards. Also if you want to use dbxquery on your SPL, then you need it on SH too.

r. Ismo

0 Karma

Path Finder

Great! Thank you so much.

So in order to create the identity, I need database username and password, I got the database username but how I need to request the database password? I mean do I need to request it is it in a encrypted way or direct plain text password?


Hi @blbr123,

good for you, see next time!

Ciao and happy splunking.


P.S.: karma Points are appreciated by all the contributors 😉


You will get that password as a plain text (as any other passwords) from you DB team. 
When you are using GUI, then you are entering it as plain text and splunk will crypt it on the fly before it write it to local identities conf file. But when you are using directly conf files and especially files in default folder then splunk didn’t crypt that password. It will be as a plain text forever in conf file. In same TAs (at least earlier) can crypt that password on local folder when splunk restarts, but not all. For that reason you must check how it is working with DB Connect. If this didn’t work there are some alternative ways to do it based on your installation.

r. Ismo

0 Karma


Hi @blbr123,

if you're using Splunk Cloud, DB-Connect must be in an Heavy Forwarder.

About the second question, you're free to use the approach you prefer: you have both the ways to configure DB-Connect; in my mind, via GUI it's easier but you're free to use the way you like.



0 Karma

Path Finder

Is it possible to onboarding using the web UI in Splunk Cloud?

0 Karma


Hi @blbr123,

I confirm the thing said by @isoutamo: usually HF are in your infrastructure not in Splunk Cloud.

Usually Splunk best practices hint to put two HFs as concentrators between your infrastructure and Splunk Cloud, so you could use one of them as DB-Connect or use one dedicated.



0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...