Configure Splunk DB Connect settings
Read this to set up DB Connect before you use it to access databases.
General
- Access Configuration > Settings.
- The General Settings tab contains settings related to your Java Runtime Environment (JRE) and Task Server. Change any settings you want. When DB Connect 3.x prompts you to input the JRE Installation path, Make sure to input the complete JRE file path. See Prerequisites for further details.
- Select Save to restart the Task Server's Java process. You do not need to restart Splunk Enterprise for changes on this page to take effect.
JRE Installation Path (JAVA_HOME)
DB Connect attempts to detect the JAVA_HOME environment variables as the JRE installation path if possible. You can change it to the Java home path you want to use for DB Connect.
JVM Options
This field lists Java Virtual Machine parameters. For more information about available JVM parameters, access Oracle's JVM documentation.
DB Connect saves the options in this field in $SPLUNK_HOME/etc/apps/splunk_app_db_connect/jars/server.vmopts
.
Task Server Port
This field contains the port number of the task server. DB Connect uses an RPC server to manage communications with the Java subsystem. The default port is 9998, but you can use any unassigned, unused port on your system.
Drivers
This tab contains a list of supported database connection types, along with install status and version number information.
If there is no JDBC driver for a connection type, the Installed column shows an X icon and the word "No". By default, there are no drivers.
- To install a JDBC driver, follow the instructions in "Install database drivers".
- Once you have moved the appropriate JAR file to the
$SPLUNK_HOME/etc/apps/splunk_app_db_connect/drivers
directory, select the Reload button.
If you have installed a JDBC driver and it still does not register:
- Verify that you correctly installed the driver by repeating the steps in "Install database drivers".
- Access the "Supported databases matrix" to verify that DB Connect supports the driver and its version. If necessary, download a newer version of the driver.
- Follow the applicable steps in "Troubleshoot driver connections".
When DB Connect detects a driver, it displays a green checkmark icon and the word "Yes" next to the database, as shown in the screenshot. It also displays the version information of the driver.
Logging levels
Versions 3.0.x and higher of Splunk DB Connect provides graphical configurations of the logging levels of DB Connect. DB Connect logs activity to files in $SPLUNK_HOME/var/log/splunk
and automatically indexes to _internal
. The relevant log files for DB Connect are:
splunk_app_db_connect_server.log
splunk_app_db_connect_job_metrics.log
splunk_app_db_connect_dbx.log
splunk_app_db_connect_audit_server.log
By default, DB Connect logs all SQL queries it executes at the INFO level. You can enable other logging levels using the UI, or by adjusting the dbx_settings.conf
file at splunk/etc/apps/splunk_app_db_connect/default/dbx_settings.conf.
Keystore
This tab contains a text input for setting a new keystore password. Only Splunk admin and DBX admin can run this action. The password must be at least 6 characters long.
Certificates
This tab contains the Public Keys and Client certificates present in the Keystore. It displays information such as Expiration Date, Issuer, Serial Number and Signature Algorithm.
Add Client Certificate
By clicking the New Client Certificate button, you will be able to add as many Client Certificate as needed.
Alias: a name that will identify a specific entry in the Keystore. It should be unique.
Certificate: certificate using PEM encoding.
Private Key: the Private Key using PKCS8 format.
Verify the Private Key is in PKCS8 format, PKCS8 contains a header as
BEGIN PRIVATE KEY
and PKCS1 asBEGIN RSA PRIVATE KEY
Convert Private Key from PKCS1 to PKCS8 if needed using
$SPLUNK_HOME/bin/splunk cmd openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in privkey-pkcs1.pem -out privkey-pkcs8.pem
Usage Collection
This tab contains an option to grant permission for Splunk to collect statistics about how you use DB Connect. See sending usage data to Splunk DB Connect to learn more about the data that DB Connect sends to Splunk.
HTTP Event Collector Configuration
By default, Splunk DB Connect sends data through a local HTTP Event Collector (HEC). With this configuration section, you can configure remote HECs and load balance data ingestion. A restart is required to apply the changes.
Settings
Max Content Length: when sending data through HEC, events are grouped in batches to speed up performance. This setting allows us to limit the batch size.
Max Retry When Unavailable: when data ingestion requests to the HEC fail for any reason, the system will retry until the value set in this setting is reached.
HTTP Event Collectors
By clicking the Add button, you will be able to add as many collectors as needed.
URL: specify the protocol, host and port. Example: https://hec.splunk.com:8068
.
Token: specify the HEC token. Remember to set up the allowed indexes for your tokens according to your needs, as it can cause ingestion failures.
Set up a deny list
Splunk DB Connect allows you to specify a list of IP addresses or domain names that will be denied when used as part of the HTTP Event Collector URL.
To modify the deny list, follow the instructions below:
- Edit or create
$SPLUNK_HOME/etc/apps/splunk_app_db_connect/local/dbx_settings.conf
file. - Restart Splunk.
[security] denylist = <Comma separated IP addresses or domain names>
Note: For more information on all configuration options, see Settings Specifications file.
Enable/disable synchronization between KV Store and local files
Splunk DB Connect uses KV Stores to distribute data between each node when running on top of a Search Head Cluster. That's why sync routines exist, to update local files from the KV Store. Note that it also works for Splunk Enterprise and Heavy Forwarder instances.
Synchronized files:
$SPLUNK_HOME/etc/apps/splunk_app_db_connect/certs/identity.dat
$SPLUNK_HOME/etc/apps/splunk_app_db_connect/certs/keystore_password.dat
$SPLUNK_HOME/etc/apps/splunk_app_db_connect/keystore/default.jks
To stop syncing those files, follow the instructions below:
- Edit or create
$SPLUNK_HOME/etc/apps/splunk_app_db_connect/local/dbx_settings.conf
file. - Restart Splunk.
[synchronizer] enabled = false
Note: For more information on all configuration options, see Settings Specifications file.
Backup and restore Splunk DB Connect version 3.10.0 or higher | Configure Splunk DB Connect to support requireClientCert=true |
This documentation applies to the following versions of Splunk® DB Connect: 3.15.0, 3.16.0
Feedback submitted, thanks!