Splunk DB Connect 1: Is there a way to configure D...

yanivamram · ‎08-03-2015

Hi,

I'm using Splunk DB Connect vs Amazon RDS service(mysql database) and it works great.
But, from time to time, when the IP of the database is changed, Splunk fails to connect anymore, even though I'm using a DNS name.

Seems like Splunk resolves the database DNS only once.
To workaround the problem, I've restarted the Splunk service.

I wonder if there's a configuration where I could define the "DNS caching TTL".

Thanks in advance,

esix_splunk · ‎08-03-2015

Splunk shouldnt be caching this. Most likely you're seeing a resolution issue with your cache server in your company. If you can do a dig for your hostname, you can see the TTL value for it you're getting on your network:

;; ANSWER SECTION:
www.google.com. 299 IN A 206.169.145.222
www.google.com. 299 IN A 206.169.145.242
www.google.com. 299 IN A 206.169.145.232

yanivamram · ‎08-05-2015

Well, I think the problem could be solved by tuning the java.security settings.
I've set the networkaddress.cache.ttl to 60sec.
Will follow up this issue and update...

Yaniv

yanivamram · ‎08-05-2015

Hi Esix,
Thanks for your reply.

My DB is actually an Amazon RDS instance.
The Splunk server is also running on Amazon EC2.
So, it doesn't seems like the problem is with the DNS server side.
Also, the problem vanish when I restart the Splunk server(not reboot), so it seems like an issue on the Splunk side.

It happens from time to time and I have no idea how to solve this issue 😞

Yaniv

Splunk DB Connect 1: Is there a way to configure DNS caching TTL in Splunk?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases