Splunk® DB Connect

Deploy and Use Splunk DB Connect

Install and configure Splunk DB Connect on a Splunk Enterprise On-Premise distributed platform deployment

To use Splunk DB Connect in a distributed search environment, including search head clusters, you must install the app on search heads and heavy forwarders.

Deployment topologies

Design your deployment based on architecture and performance considerations. This list specifies the typical deployment topologies in which you can install Splunk DB Connect. In all cases, Splunk best practice is to install DB Connect on a dedicated search head.

  • Single search head, multiple indexers, load-balanced forwarders
  • Multiple search heads, multiple indexers, load-balanced forwarders
  • Indexer cluster, single search head
  • Search head cluster, multiple independent indexers, load-balanced forwarders

For general information about configuring the topology components described in this section, see Distributed Splunk Enterprise overview, or any of the following topics:

Deploy DB Connect on search head clusters

You can deploy Splunk DB Connect in a search head clustering environment. To install, use the deployer to distribute DB Connect to all of the search head cluster members. Be aware that you must use the cluster deployer, not Deployment Server, to distribute DB Connect to search head cluster members.
For more information about configuring search head clusters, see Configure the search head cluster.

  1. If you have not already done so, deploy and configure a search head cluster.
  2. Install the database drivers for the databases you want to connect to with DB Connect. Access the instructions on the Install database drivers for details.
  3. Install DB Connect on the deployer. Access the instructions on the Single server deployment for details.
  4. Set up identities and connections for your databases.
  5. Copy the splunk_app_db_connect directory from $SPLUNK_HOME/etc/apps/ to the $SPLUNK_HOME/etc/shcluster/apps/ directory on the deployer. This includes all custom configuration files as well as JDBC drivers. You can't replicate the kerberos_client.conf and identity.dat files to other SHC nodes after making chanages. You need to copy the files manually to other SHC nodes.
  6. Deploy the configuration bundle by running the splunk apply shcluster-bundle command on the deployer:
    splunk apply shcluster-bundle -target <URI>:<management_port> -auth <username>:<password>

    • The -target parameter specifies the URI and management port for any member of the cluster, for example, You select only one cluster member but the deployer pushes to all members. You must enter this parameter.
    • The -auth parameter specifies credentials for the deployer instance.
  7. The deployer displays a message that asks you to acknowledge that the cluster members might restart. Select Y to acknowledge.

For more information about deploying a configuration bundle, see Deploy a configuration bundle.

For full instructions about how to use the deployer to distribute apps, add-ons, and their configuration bundles, see Use the deployer to distribute apps and configuration updates.

When you use DB Connect in a search head clustering (SHC) environment, use the deployer to push configuration changes to SHC members. If you prefer to use the DB Connect UI or modify .conf files and then replicate configuration to SHC members, restart Splunk Enterprise on SHC members after you have updated them with the new configuration. There are three reasons why you must restart SHC members after updating their configuration:

  • When you make a configuration change on a search head, such as a change to the RPC server port, Splunk Enterprise replicates changes to the SHC members automatically. However, the SHC members might still use the old configuration until you restart them.
  • Splunk Enterprise automatically replicates SHC for changes you make to most of the DB Connect-specific settings and objects through the REST API. Splunk Enterprise does not automatically replicate changes you make by editing .conf files on a search head. To ensure that Splunk Enterprise replicates all your changes, and to replicate any changes you made by editing .conf files, you must restart the search head on which you made the change.
  • Splunk Enterprise does not automatically replicate changes you make by editing kerberos_client.conf and identity.dat files. You need to manually replicate the files to other SHC nodes.
  • DB Connect provides high availability on Splunk Enterprise with a Search Head Cluster, by executing input/output on the captain.

A note about indexes

When you create a database input, you must select the index you want to index the data your database receives. When you select an index, by default you must select one of the indexes on that instance of Splunk Enterprise. This means that you cannot select an index that you have configured on a search peer but not distributed to the rest of the deployment.

To select an index that you have not configured on, for example, a forwarder or search head that is running DB Connect, you can create or edit an indexes.conf file, and then distribute it using Deployment Server. Although you cannot distribute DB Connect configuration using a Deployment Server, you can distribute indexes.conf files.

To configure peer indexes in a distributed deployment, follow the instructions in Configure the peer indexes in an indexer cluster. First, you edit the indexes.conf file, and then you distribute it to peers. This practice ensures that you configure search heads and forwarders to send all logs to the indexer tier, which prevents this distribution of indexes.conf from causing Splunk Enterprise to create local indexes on search heads and forwarders.

Once you have distributed the configuration, applications like DB Connect know which indexes exist to validate configuration.

Last modified on 28 April, 2023
Install and configure Splunk DB Connect on a single instance Splunk platform deployment   Install and configure Splunk DB Connect on Splunk Cloud Platform

This documentation applies to the following versions of Splunk® DB Connect: 3.13.0, 3.14.0, 3.14.1, 3.15.0, 3.16.0, 3.17.0, 3.17.1, 3.17.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters