All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

After installing Splunk DB Connect on my search head, how do I select what index I want data sent to on the indexer?

JamesOwen
Explorer
‎10-26-2016 10:44 AM

I have two servers in my Splunk Deployment:
1 Indexer
1 Everything else (not indexer)

I installed Splunk DB Connect on my Search head, however, when I was trying to configure the DB Inputs, I was not able to select the index I wanted to send the data to.

Documentation suggests that it should be installed on the search head, however, I am not sure how to get the data into the correct index on the indexer.

Reply
1 Solution
Solved! Jump to solution
Solution

hgrow
Communicator
‎10-26-2016 12:21 PM

Hey JamesOwen,

are you already forwarding _internals from your sh to your index-tier?

If not read the "Best Practice manual" :
http://docs.splunk.com/Documentation/Splunk/6.5.0/DistSearch/Forwardsearchheaddata

Next thing is to pick the right index .... since your SH useally dont know anything about the indices on your indexer you cant just pick the correct index over the UI in DB Connect when you set up your input.

Correct me if i am wrong but in DB Connect 2.3.1. you can just type the name in the index-drop-down. If you are running an older version you have to edit the inputs.conf file and edit the correct index in (not recomended),

If you are correctly forwarding all your data from the SH-layer to the Index-layer things will go fine.

If you want to user the UI on the SH to pick an index you have to replicate your indexes.conf from your indexer.

Hope it helps.

sincerely
hgrow

View solution in original post

Reply
Solved! Jump to solution

JamesOwen
Explorer
‎10-26-2016 12:42 PM

I have setup my search head to send its data to the indexer. When I look at the indexes on the search head, the only index with data is _audit with 11.1K records from 5 months ago. All other indexes are empty.

I have setup my input DB Inputs by manually typing in the index name I wish the data to be sent to and saved it.

It looks OK but I don't see any data coming across yet.
Only 20K records in the log_table I am pulling so it should take long to ingest it.
Is there something else I need to do to make it work?

Thanks for your help.

0 Karma
Reply
Solved! Jump to solution

hgrow
Communicator
‎10-26-2016 02:24 PM

Hi James,

be sure you are forwarding all data from your SH to your IDX.

outputs.conf

[tcpout]
...
forwardedindex.filter.disable = true  
...

There can be filter in place wich data is forward. Ref.: http://docs.splunk.com/Documentation/Splunk/6.5.0/Forwarding/Routeandfilterdatad#Filter_data_by_targ...

Next can you confirm that your input is working as intended. Any error for your query if you look at 

index=_internal sourcetype=dbx2 OR sourcetype=dbx_query_audit

hgrow

0 Karma
Reply
Solved! Jump to solution

hgrow
Communicator
‎10-26-2016 02:59 PM

Oh and if you not quite sure about the input you have setup, you can post it or try to create the input using the UI to avoid any missconfiguration in the input.

What versions of splunk and db connect you are using?

0 Karma
Reply
Solved! Jump to solution

JamesOwen
Explorer
‎10-27-2016 06:55 AM

Thank you for your reply and sorry for the delay.

I am using Splunk 6.5 and Splunk DB Connect 2.3.1

After trying your first suggestion of just typing in the index I wanted, it was working. I wasn't able to find the data initially because I was using a test data bases and the latest data was from 10/20. My search defaults to just "Today" so I wasn't finding anything.

I had to convince myself that I wasn't missing anything by looking at things like the rpc.log. I saw logs showing it was pulling data.

0 Karma
Reply
Solved! Jump to solution

hgrow
Communicator
‎10-27-2016 07:03 AM

Hey JamesOwen,

I'm glad i could help 🙂

Now logs going in the fun part can begin. Happy splunking !

hgrow

0 Karma
Reply
Solved! Jump to solution
Solution

hgrow
Communicator
‎10-26-2016 12:21 PM

Hey JamesOwen,

are you already forwarding _internals from your sh to your index-tier?

If not read the "Best Practice manual" :
http://docs.splunk.com/Documentation/Splunk/6.5.0/DistSearch/Forwardsearchheaddata

Next thing is to pick the right index .... since your SH useally dont know anything about the indices on your indexer you cant just pick the correct index over the UI in DB Connect when you set up your input.

Correct me if i am wrong but in DB Connect 2.3.1. you can just type the name in the index-drop-down. If you are running an older version you have to edit the inputs.conf file and edit the correct index in (not recomended),

If you are correctly forwarding all your data from the SH-layer to the Index-layer things will go fine.

If you want to user the UI on the SH to pick an index you have to replicate your indexes.conf from your indexer.

Hope it helps.

sincerely
hgrow

Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...