- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Separating Search Heads and Database Access
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
We have a recently upgraded our Splunk implementation, and currently have the following (as relevant to the query below):
- A search head cluster
- A couple of indexers
- A separate Database Access server (DBConnect)
In general we allow the DBConnect server access to the databases, and pull relevant data into Splunk. This works well.
We now have a scenario where we would rather run a dbxquery directly against the database from a search head (ie not consume the data into Splunk). The question is, is there any way of doing this without deploying DBConnect to all the search heads and giving them access to the databases ? For example, can we get the dbxquery to run on the DBConnect server ?
I'm pretty sure the answer is no, but I thought I would ask the smart people out there !
Thankyou.
Rhys
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you execute a search it will execute locally (on the search head that it was run from) and on the search peers. While it is possible to configure a heavy forwarder as a search peer (you'd do this to make use of the Monitoring Console), I don't think that would be a good approach here, and may end up affecting your search efficiency as well.
I think your assumed answer is the best answer: deploy DBConnect to the search heads and grant that host access to the database to enable search-time database operations.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you execute a search it will execute locally (on the search head that it was run from) and on the search peers. While it is possible to configure a heavy forwarder as a search peer (you'd do this to make use of the Monitoring Console), I don't think that would be a good approach here, and may end up affecting your search efficiency as well.
I think your assumed answer is the best answer: deploy DBConnect to the search heads and grant that host access to the database to enable search-time database operations.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fantastic, thankyou. Look's like we will need to consume the data instead. That's a bit of a challenge but I think we can do it.
Thanks again.
Rhys
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
