All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk DB Connect: where exactly does the indexed data get stored

burwell
SplunkTrust
SplunkTrust
‎03-03-2016 09:25 AM

I would like to use Splunk DB Connect to get MySQL data into Splunk. i want the data to go into indexes on our indexers.

So I install the drivers and DB Connect add on on our search head.

The part I am not clear on is how to get the data to our indexers not an index on the search head.

If I run a test query on the search head to pull from MySQL -> Splunk index will that cause the data to get stored on one of the search peers (indexers) or how does that work exactly?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-03-2016 05:53 PM

That is the dirty little secret about DB Connect: The data that comes in is not licensed. This is why Splunk hobbled dbxquery to limit it to 50K events returned. Splunk either knew (or suspected) that people were using dbquery plus collect to pull in DB data and bypass licensing. Most of my use of dbxquery is ad-hoc and transient and maybe yours is, too. In that case the data disappears with your search (unless, like I said, you pass it to collect to store it into a Summary Index, which again, does NOT get licensed).

View solution in original post

Reply
Solved! Jump to solution

einkebil
Explorer
‎03-04-2016 12:21 AM

Hello, to get data collected by your search head, you have to configure it has a heavy Forwarder end load balance incomming data (use apropriate stanza) to balance to your indexers.

my tip : If you have a lot of dbconnect[2] queries, you'd better have to configure the db connect[2] on a dedicated heavyforwarder (with web ui for convenience)

Reply
Solved! Jump to solution

burwell
SplunkTrust
SplunkTrust
‎03-04-2016 08:39 AM

I guess I was confused by the DBConnect references to installation in a distributed environment (we use SHC.)

http://docs.splunk.com/Documentation/DBX/2.1.3/DeployDBX/Distributeddeployment

I do want to be able to periodically pull a few tables from a MySQL db to use with my SHC for querying.

Yeah I don't want my Search Heads to to be heavy forwarders.

So if I configure one dedicated heavy forwarder to pull the data from my DB, then no DB Connect needs to be installed on the search heads?

0 Karma
Reply
Solved! Jump to solution

einkebil
Explorer
‎03-04-2016 09:09 AM

You probably need dbconnect on your sh if you need it ( by example to use one of the tool provided like direct query )

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-03-2016 05:53 PM

That is the dirty little secret about DB Connect: The data that comes in is not licensed. This is why Splunk hobbled dbxquery to limit it to 50K events returned. Splunk either knew (or suspected) that people were using dbquery plus collect to pull in DB data and bypass licensing. Most of my use of dbxquery is ad-hoc and transient and maybe yours is, too. In that case the data disappears with your search (unless, like I said, you pass it to collect to store it into a Summary Index, which again, does NOT get licensed).

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...