topic Re: How can we index real-time data directly from an Oracle database into splunk? in Splunk Search

How can we index real-time data directly from an Oracle database into splunk?

saurabh7026 — Fri, 03 Apr 2015 07:19:16 GMT

Is there any way to index real-time data directly from an oracle database into the splunk? I want to index data from a database and this will be real-time data.

Re: How can we index real-time data directly from an Oracle database into splunk?

sbochniewicz — Fri, 03 Apr 2015 18:01:48 GMT

The quick answer is https://splunkbase.splunk.com/app/2686/

This database connection app will let you import, export and lookup oracle data.

The important part is ensuring that the data your are importing has an incremental number or date that can be used to collect only new data.

db-tail is the input feature you are looking for.

Re: How can we index real-time data directly from an Oracle database into splunk?

pmdba — Sat, 04 Apr 2015 04:05:08 GMT

You can also check out this paper for more information on a variety of ways to get Oracle data into Splunk. If you want to report database changes in real-time, then db-tail may not be the best option. db-tail can capture incremental changes, but it still runs like a scheduled job - at most once per minute - and runs a query on your data that will put some minimal additional load on your system. If that is close enough to real-time for you, then it is probably the easiest option.

If you need closer to real-time, then your best bet would be a PL/SQL trigger or some such that would transmit the data directly to Splunk on a TCP input. There is some risk of data being lost that way (if packets were lost on the network or if the trigger failed for some reason) but it would be as close to real-time as you could get. There is an example of how to set this up in the paper.