Architecture and performance
If you have a trial or personal Splunk deployment running on a single host (indexer and Splunk Web both running on the same system), you can install Splunk DB Connect on this system.
To use Splunk DB Connect for reporting or database lookups in a search head pooling environment, you must install the app on a search head. For instructions on installing apps in a search head pooling environment, see Create a search head pool. For instructions on configuring search head pooling for Splunk DB Connect, see Set up search head pooling.
Note: Splunk DB Connect is not currently certified or supported for use with search head clusters or indexer clusters. For more information, see About Splunk DB Connect and search head clustering and indexer clustering, later in this topic.
In a distributed environment, you must perform lookups on the search head where Splunk DB Connect is installed. To perform a lookup locally, add
local=1 after the
index=test | lookup local=1 mysql_table ip_address as clientip OUTPUT host | table clientip, host
This is not currently possible when using automatic lookups. For more information on automatic lookups, see Edit existing automatic lookups or configure a new lookup to run automatically.
For database inputs, depending on the anticipated volume of your deployment, there are 3 options:
- Small scale: install Splunk DB Connect on a search head for monitoring and configure it to forward events to the indexer(s)
- Medium scale: use a dedicated Splunk heavy forwarder to perform monitoring and forward events to indexer(s).
- Large scale: Use multiple dedicated Splunk forwarders and partition the monitors among them.
About search head pooling and dbmon-tail
We do not recommend using dbmon-tail inputs in a search head pooling environment. In a search head pooling environment, each search head has its own persistent storage that keeps track of the last rising column. This can cause Splunk to index different values for each search head.
We recommend instead that you use a dedicated heavy forwarder with DB Connect installed, to forward data to Splunk indexers.
About Splunk DB Connect and search head clustering and indexer clustering
A search head cluster, introduced in Splunk Enterprise 6.2, is a group of search heads that serves as a central resource for searching. An indexer cluster is a group of Splunk Enterprise indexers that replicates external data. Splunk DB Connect is not currently certified or supported for use with search head clusters or indexer clusters. However, you have the following options:
- Use search head pooling with Splunk DB Connect. For more information, see Set up search head pooling. Be aware that search head pooling was deprecated in Splunk 6.2, and may not be available in future releases.
- Use data inputs and outputs on a dedicated search head or heavy forwarder.
Because Splunk DB Connect queries your database, there is a possibility that your queries may impact database performance. In particular, if the initial run of your query to the database retrieves a lot of data, this may affect the performance of your database. Subsequent runs of the query should have less impact, as they are only retrieving new data since the previous run of the query. To mitigate this, you can set the
tail.follow.only option in the dbmon-tail stanza in
Lookups generate multiple selects that should be within the expected workload for a database and should not affect performance. Splunk DB Connect executes a separate SELECT statement for each unique combination of input fields. This may happen more than once per search, because the search preview function in Splunk may invoke the lookup multiple times during execution of a search for parts of the results. Splunk does not cache the results between invocations of the lookup.
Install Splunk DB Connect
This documentation applies to the following versions of Splunk® DB Connect: 1.1, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.2.0, 1.2.1, 1.2.2