We are migrating from v2.4.0 to 3.0.2.
The splunk doc says to migrate the config files to Heavy forwarder for Scheduled inputs and outputs. However we do not have this currently but planning to incorporate in sometime. But we do have some, lookups configured in our old version 2.4.0, so is the lookups also required to be moved to a Heavy forwarder?
Also I'm quite confused here:
We use the Search Head UI to set up DB Connections and then we need to use the Heavy forwarder UI to set up scheduled inputs/outputs is it?
Should lookups be configured in SH or HF?
We'll try to improve the documentation, sorry for that. Let me clarify what we meant:
- dbxquery, dbxlookup, dbxoutput commands should typically be run on Search Head
- scheduled jobs configured in DB Connect (inputs and outputs) cannot be run on Search Head Cluster. During captain reelection running DB Connect scheduled jobs can cause some duplicates or missing data.
@sarnagar to answer your questions:
- Should I move the lookups to Heavy Forwarder? No, keep them on Search Head
- Where do I have to declare the different entities: inputs, outputs, connections, ...?
- inputs: Heavy Forwarder
- outputs: Heavy Forwarder
- lookups: Search Head
- connections: Heavy Forwarder and/or Search Head. Connections are necessary to connect to your DB. Therefore, connections used by inputs/outputs need to be declared on Heavy Forwarder. Connections used by lookups, queries must be declared on Search Heads.
my understanding is that a dbxoutput needs to specify an output. How does the SH know about the output delcared on the HF?
In my environment, I have created an output (with and without scheduling enabled) on the SHC and this works but is it supported?
Also as a test, I see in the SH log that the output gets scheduled but it appears that it never really gets executed. Is this the expected behaviour or should the UI present an error when saving a scheduled output (i noticed the yellow warning about some functions won't work)?
This also makes no sense to me. When the manual says "DB Connect 3 does not support scheduled inputs and outputs in a search head cluster deployment. Splunk recommends that you run scheduled inputs and outputs from a heavy forwarder." .
Does that mean that you cannot run reports using dbxquery from a search head cluster on a scheduled basis?
I can understand that you might not be able to run a cron there that pushes data into splunk, but just running a query that connect the db make little sense.
Neither does moving that function to a Heavy Forwarder. Heavy forwarder typically send data to indexers, and are not used for reporting.
The manual needs to be clearer on this.
We are sorry about the confusion.
You can run dbxquery in a saved search run on Search Head Cluster for alerts or reports. What you cannot do is to ingest data read from a DB on a Search Head Cluster.