DB Connect in a distributed environment

ngcgoon · ‎04-29-2013

In our environment we have the Search Heads, Forwarders and Indexers. Our indexers are using networked round robin DNS name to index events from the forwarders. We need to start getting events from our databases using the tail-"ing" method for which DB connect is good for. (Can't get it to work consistently) However it is unclear (in the docs) where to install DB connect either on the Search Head or Indexer? If we have pairs of indexers in our DNS indexer name linked, then we get events from sources on both indexers (however not duplicate events).

My guess is if i wanted to index database event lookups using Splunk DB connect, then I would install and setup DB connect on indexer A of B, however put an index name dbEvents on both paired indexers A and B?

Or Place the DB Connect on a search head and create an index name dbEvents on my grouped indexers?

Or should we install DB connect on the search head or forwarders?

Any insight is greatly appreciated.

Thanks!

jcoates_splunk · ‎09-11-2013

Hi,

we've just released DB Connect 1.1, which can now be installed on a search head pool.

app

search head pooling docs

The Heavy Forwarder route works too.

Thanks,
Jack

hemendralodhi · ‎04-10-2016

Do we have to install App on search head also to query the data? We are using Search head clustering and it is mentioned in doc to go through Heavy Forwarder route as it is not supported with SH clustering.
How I can query the data using HF route?

Thanks
Hemendra

DB Connect in a distributed environment

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms