In our environment we have the Search Heads, Forwarders and Indexers. Our indexers are using networked round robin DNS name to index events from the forwarders. We need to start getting events from our databases using the tail-"ing" method for which DB connect is good for. (Can't get it to work consistently) However it is unclear (in the docs) where to install DB connect either on the Search Head or Indexer? If we have pairs of indexers in our DNS indexer name linked, then we get events from sources on both indexers (however not duplicate events).
My guess is if i wanted to index database event lookups using Splunk DB connect, then I would install and setup DB connect on indexer A of B, however put an index name dbEvents on both paired indexers A and B?
Or Place the DB Connect on a search head and create an index name dbEvents on my grouped indexers?
Or should we install DB connect on the search head or forwarders?
Any insight is greatly appreciated.
Thanks!
Hi,
we've just released DB Connect 1.1, which can now be installed on a search head pool.
The Heavy Forwarder route works too.
Thanks,
Jack
Do we have to install App on search head also to query the data? We are using Search head clustering and it is mentioned in doc to go through Heavy Forwarder route as it is not supported with SH clustering.
How I can query the data using HF route?
Thanks
Hemendra