Dears,
i would like to install Splunk DB connect v3 but i have questions regarding recommended setup of it in a Heavy Forwarder. In case i am using Output connection to insert in database, how is the Heavy forwarder supposed to be able to search my events in the index layer?
thanks in advance
You will have to make your Heavy Forwarder a full Search Head by adding your Indexers as Search Peers (or migrate this function to your Search Head).
You will have to make your Heavy Forwarder a full Search Head by adding your Indexers as Search Peers (or migrate this function to your Search Head).
agree with you but my questions is Guide already informed us to not add DB connect on SH cluster
So why they going for that they adding now extra processing to HF
These roles are just names. Make your HF a Search Head, too. Just use the GUI to add the Search Peers and that's it. It is just a name, for the most part. Do not add this stand-alone Search Head to the other SHC and DO NOT let other people login to it to run searches here.
Thanks for pointing this out.
Should really be documented. This and HEC dependency
The Heavy Forwarder is to run the DB Connect queries and then send (outputs.conf
pointing to your Indexer tier) to your Indexers. The Heavy Forwarder does not "search your events" at all; it GENERATES them and stores them on the Indexers.
you are talking about Input connection which mean run query into database and send data to indexers
but i am talking about inserting data from splunk to Database through Output connection in DB connect it self
how supposed DB connect will search my events that exist in indexer tier