Hi,
We have a recently upgraded our Splunk implementation, and currently have the following (as relevant to the query below):
- A search head cluster
- A couple of indexers
- A separate Database Access server (DBConnect)
In general we allow the DBConnect server access to the databases, and pull relevant data into Splunk. This works well.
We now have a scenario where we would rather run a dbxquery directly against the database from a search head (ie not consume the data into Splunk). The question is, is there any way of doing this without deploying DBConnect to all the search heads and giving them access to the databases ? For example, can we get the dbxquery to run on the DBConnect server ?
I'm pretty sure the answer is no, but I thought I would ask the smart people out there !
Thankyou.
Rhys
When you execute a search it will execute locally (on the search head that it was run from) and on the search peers. While it is possible to configure a heavy forwarder as a search peer (you'd do this to make use of the Monitoring Console), I don't think that would be a good approach here, and may end up affecting your search efficiency as well.
I think your assumed answer is the best answer: deploy DBConnect to the search heads and grant that host access to the database to enable search-time database operations.
When you execute a search it will execute locally (on the search head that it was run from) and on the search peers. While it is possible to configure a heavy forwarder as a search peer (you'd do this to make use of the Monitoring Console), I don't think that would be a good approach here, and may end up affecting your search efficiency as well.
I think your assumed answer is the best answer: deploy DBConnect to the search heads and grant that host access to the database to enable search-time database operations.
Fantastic, thankyou. Look's like we will need to consume the data instead. That's a bit of a challenge but I think we can do it.
Thanks again.
Rhys