All Apps and Add-ons

Splunk DB Connect: where exactly does the indexed data get stored

burwell
SplunkTrust
SplunkTrust

I would like to use Splunk DB Connect to get MySQL data into Splunk. i want the data to go into indexes on our indexers.

So I install the drivers and DB Connect add on on our search head.

The part I am not clear on is how to get the data to our indexers not an index on the search head.

If I run a test query on the search head to pull from MySQL -> Splunk index will that cause the data to get stored on one of the search peers (indexers) or how does that work exactly?

0 Karma
1 Solution

woodcock
Esteemed Legend

That is the dirty little secret about DB Connect: The data that comes in is not licensed. This is why Splunk hobbled dbxquery to limit it to 50K events returned. Splunk either knew (or suspected) that people were using dbquery plus collect to pull in DB data and bypass licensing. Most of my use of dbxquery is ad-hoc and transient and maybe yours is, too. In that case the data disappears with your search (unless, like I said, you pass it to collect to store it into a Summary Index, which again, does NOT get licensed).

View solution in original post

einkebil
Explorer

Hello, to get data collected by your search head, you have to configure it has a heavy Forwarder end load balance incomming data (use apropriate stanza) to balance to your indexers.

my tip : If you have a lot of dbconnect[2] queries, you'd better have to configure the db connect[2] on a dedicated heavyforwarder (with web ui for convenience)

burwell
SplunkTrust
SplunkTrust

I guess I was confused by the DBConnect references to installation in a distributed environment (we use SHC.)

http://docs.splunk.com/Documentation/DBX/2.1.3/DeployDBX/Distributeddeployment

I do want to be able to periodically pull a few tables from a MySQL db to use with my SHC for querying.

Yeah I don't want my Search Heads to to be heavy forwarders.

So if I configure one dedicated heavy forwarder to pull the data from my DB, then no DB Connect needs to be installed on the search heads?

0 Karma

einkebil
Explorer

You probably need dbconnect on your sh if you need it ( by example to use one of the tool provided like direct query )

0 Karma

woodcock
Esteemed Legend

That is the dirty little secret about DB Connect: The data that comes in is not licensed. This is why Splunk hobbled dbxquery to limit it to 50K events returned. Splunk either knew (or suspected) that people were using dbquery plus collect to pull in DB data and bypass licensing. Most of my use of dbxquery is ad-hoc and transient and maybe yours is, too. In that case the data disappears with your search (unless, like I said, you pass it to collect to store it into a Summary Index, which again, does NOT get licensed).

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...