Splunk® DB Connect

Deploy and Use Splunk DB Connect

This documentation does not apply to the most recent version of Splunk® DB Connect. For documentation on the most recent version, go to the latest release.

Configure Splunk DB Connect settings

Read this to set up DB Connect before you use it to access databases.

General

  1. Access Configuration > Settings.
  2. The General Settings tab contains settings related to your Java Runtime Environment (JRE) and Task Server. Change any settings you want. When DB Connect 3.x prompts you to input the JRE Installation path, Make sure to input the complete JRE file path. See Prerequisites for further details.
  3. Select Save to restart the Task Server's Java process. You do not need to restart Splunk Enterprise for changes on this page to take effect.

JRE Installation Path (JAVA_HOME)

DB Connect attempts to detect the JAVA_HOME environment variables as the JRE installation path if possible. You can change it to the Java home path you want to use for DB Connect.

JVM Options

This field lists Java Virtual Machine parameters. For more information about available JVM parameters, access Oracle's JVM documentation.

DB Connect saves the options in this field in $SPLUNK_HOME/etc/apps/splunk_app_db_connect/jars/server.vmopts.

Task Server Port

This field contains the port number of the task server. DB Connect uses an RPC server to manage communications with the Java subsystem. The default port is 9998, but you can use any unassigned, unused port on your system.

Drivers

This tab contains a list of supported database connection types, along with install status and version number information.

If there is no JDBC driver for a connection type, the Installed column shows an X icon and the word "No". By default, there are no drivers.

  1. To install a JDBC driver, follow the instructions in "Install database drivers".
  2. Once you have moved the appropriate JAR file to the $SPLUNK_HOME/etc/apps/splunk_app_db_connect/drivers directory, select the Reload button.

If you have installed a JDBC driver and it still does not register:

When DB Connect detects a driver, it displays a green checkmark icon and the word "Yes" next to the database, as shown in the screenshot. It also displays the version information of the driver.
Driverstab.jpg

Logging levels

Versions 3.0.x and higher of Splunk DB Connect provides graphical configurations of the logging levels of DB Connect. DB Connect logs activity to files in $SPLUNK_HOME/var/log/splunk and automatically indexes to _internal. The relevant log files for DB Connect are:

  • splunk_app_db_connect_server.log
  • splunk_app_db_connect_job_metrics.log
  • splunk_app_db_connect_dbx.log
  • splunk_app_db_connect_audit_server.log

By default, DB Connect logs all SQL queries it executes at the INFO level. You can enable other logging levels using the UI, or by adjusting the dbx_settings.conf file at splunk/etc/apps/splunk_app_db_connect/default/dbx_settings.conf.
Dbx30logging.jpg

Keystore

This tab contains a text input for setting a new keystore password. Only Splunk admin and DBX admin can run this action. The password must be at least 6 characters long.

Certificates

This tab contains the Public Keys and Client certificates present in the Keystore. It displays information such as Expiration Date, Issuer, Serial Number and Signature Algorithm.

Add Client Certificate

By clicking the New Client Certificate button, you will be able to add as many Client Certificate as needed.

Alias: a name that will identify a specific entry in the Keystore. It should be unique.

Certificate: certificate using PEM encoding.

Private Key: the Private Key using PKCS8 format.

Verify the Private Key is in PKCS8 format, PKCS8 contains a header as BEGIN PRIVATE KEY and PKCS1 as BEGIN RSA PRIVATE KEY

Convert Private Key from PKCS1 to PKCS8 if needed using $SPLUNK_HOME/bin/splunk cmd openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in privkey-pkcs1.pem -out privkey-pkcs8.pem

Usage Collection

This tab contains an option to grant permission for Splunk to collect statistics about how you use DB Connect. See sending usage data to Splunk DB Connect to learn more about the data that DB Connect sends to Splunk.

HTTP Event Collector Configuration

By default, Splunk DB Connect sends data through a local HTTP Event Collector (HEC). With this configuration section, you can configure remote HECs and load balance data ingestion. A restart is required to apply the changes.

Settings

Max Content Length: when sending data through HEC, events are grouped in batches to speed up performance. This setting allows us to limit the batch size.

Max Retry When Unavailable: when data ingestion requests to the HEC fail for any reason, the system will retry until the value set in this setting is reached.

HTTP Event Collectors

By clicking the Add button, you will be able to add as many collectors as needed.

URL: specify the protocol, host and port. Example: https://hec.splunk.com:8068.

Token: specify the HEC token. Remember to set up the allowed indexes for your tokens according to your needs, as it can cause ingestion failures.

Set up a deny list

Splunk DB Connect allows you to specify a list of IP addresses or domain names that will be denied when used as part of the HTTP Event Collector URL.

To modify the deny list, follow the instructions below:

  1. Edit or create $SPLUNK_HOME/etc/apps/splunk_app_db_connect/local/dbx_settings.conf file.
  2. [security]
    denylist = <Comma separated IP addresses or domain names>
    

    Note: For more information on all configuration options, see Settings Specifications file.

  3. Restart Splunk.

Enable/disable synchronization between KV Store and local files

Splunk DB Connect uses KV Stores to distribute data between each node when running on top of a Search Head Cluster. That's why sync routines exist, to update local files from the KV Store. Note that it also works for Splunk Enterprise and Heavy Forwarder instances.

Synchronized files:

$SPLUNK_HOME/etc/apps/splunk_app_db_connect/certs/identity.dat $SPLUNK_HOME/etc/apps/splunk_app_db_connect/certs/keystore_password.dat $SPLUNK_HOME/etc/apps/splunk_app_db_connect/keystore/default.jks

To stop syncing those files, follow the instructions below:

  1. Edit or create $SPLUNK_HOME/etc/apps/splunk_app_db_connect/local/dbx_settings.conf file.
  2. [synchronizer]
    enabled = false
    

    Note: For more information on all configuration options, see Settings Specifications file.

  3. Restart Splunk.
Last modified on 07 May, 2024
Backup and restore Splunk DB Connect version 3.10.0 or higher   Configure Splunk DB Connect to support requireClientCert=true

This documentation applies to the following versions of Splunk® DB Connect: 3.15.0, 3.16.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters