Splunk® DB Connect

Deploy and Use Splunk DB Connect

Download manual as PDF

NOTE - Splunk DB Connect version 1.x reached its End of Life on July 28, 2016. Please see the migration information.
This documentation does not apply to the most recent version of DBX. Click here for the latest version.
Download topic as PDF

Architecture and performance

Splunk topology

If you have a trial or personal Splunk deployment running on a single host (indexer and Splunk Web both running on the same system), you can install Splunk DB Connect on this system.

To use Splunk DB Connect for reporting or database lookups in a search head pooling environment, you must install the app on a search head. For instructions on installing apps in a search head pooling environment, see Create a search head pool. For instructions on configuring search head pooling for Splunk DB Connect, see Set up search head pooling.

Note: Splunk DB Connect is not currently certified or supported for use with search head clusters or indexer clusters. For more information, see About Splunk DB Connect and search head clustering and indexer clustering, later in this topic.

In a distributed environment, you must perform lookups on the search head where Splunk DB Connect is installed. To perform a lookup locally, add local=1 after the lookup command.

Example:

index=test | lookup local=1 mysql_table ip_address as clientip OUTPUT host | table clientip, host

This is not currently possible when using automatic lookups. For more information on automatic lookups, see Edit existing automatic lookups or configure a new lookup to run automatically.

For database inputs, depending on the anticipated volume of your deployment, there are 3 options:

  • Small scale: install Splunk DB Connect on a search head for monitoring and configure it to forward events to the indexer(s)
  • Medium scale: use a dedicated Splunk heavy forwarder to perform monitoring and forward events to indexer(s).
  • Large scale: Use multiple dedicated Splunk forwarders and partition the monitors among them.

About search head pooling and dbmon-tail

We do not recommend using dbmon-tail inputs in a search head pooling environment. In a search head pooling environment, each search head has its own persistent storage that keeps track of the last rising column. This can cause Splunk to index different values for each search head.

We recommend instead that you use a dedicated heavy forwarder with DB Connect installed, to forward data to Splunk indexers.

About Splunk DB Connect and search head clustering and indexer clustering

A search head cluster, introduced in Splunk Enterprise 6.2, is a group of search heads that serves as a central resource for searching. An indexer cluster is a group of Splunk Enterprise indexers that replicates external data. Splunk DB Connect is not currently certified or supported for use with search head clusters or indexer clusters. However, you have the following options:

Performance considerations

Because Splunk DB Connect queries your database, there is a possibility that your queries may impact database performance. In particular, if the initial run of your query to the database retrieves a lot of data, this may affect the performance of your database. Subsequent runs of the query should have less impact, as they are only retrieving new data since the previous run of the query. To mitigate this, you can set the tail.follow.only option in the dbmon-tail stanza in inputs.conf.

Lookups generate multiple selects that should be within the expected workload for a database and should not affect performance. Splunk DB Connect executes a separate SELECT statement for each unique combination of input fields. This may happen more than once per search, because the search preview function in Splunk may invoke the lookup multiple times during execution of a search for parts of the results. Splunk does not cache the results between invocations of the lookup.

PREVIOUS
Deployment requirements
  NEXT
Install Splunk DB Connect

This documentation applies to the following versions of Splunk® DB Connect: 1.1, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.1.7, 1.2.0, 1.2.1, 1.2.2


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters