All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I send search results through Hunk or Splunk to HBase for storage and future use?

melonman
Motivator
‎10-15-2014 10:47 PM

Hello

I am looking for a solution or app that can sends any search results by Hunk (Or Splunk) to HBase.
I could use summary index to keep search results in local disk, but I need to add disks as summary gets larger.
Instead of putting summary in local disk as summary index,
I want to store the search results in HBase, and retrieve the data in HBase for future use (long-time trending analysis etc etc)

Currently I am thinking to use DB Connect (JDBC) ->Apache Phenix - Hbase,
but if anyone has done this or have any idea, could you please share your comments?

Thank you very much

Reply
1 Solution
Solved! Jump to solution
Solution

jhodge_splunk
Splunk Employee
Splunk Employee
‎10-21-2014 09:28 AM

Hi,

I have had brief go at getting this working on a single vm with HBase and Splunk co-located and it worked. Here are my notes

  • Install Apache Phoenix as per Phoenix interactions
  • Install splunk db connect

  • create a symbolic link to the phoenix jar in the dvx connect bin/lib directory

    [root@ip-172-31-43-73 lib]# pwd

    /opt/splunk/etc/apps/dbx/bin/lib

    [root@ip-172-31-43-73 lib]# ls -lh total 8.6M

    .....
    lrwxrwxrwx. 1 root root 53 Oct 11 15:31 phoenix.jar -> /usr/lib/phoenix/phoenix-4.0.0.2.1.5.0-695-client.jar
    .....

  • now navigate to the following directory

    [root@ip-172-31-43-73 local]# pwd

    /opt/splunkbeta/etc/apps/dbx/local

  • create an file called dataase_types.conf and put the following params

  • note that the connectionUrl must match the one for your environment

    [root@ip-172-31-43-73 local]# cat database_types.conf

    [phoenix]
    displayName = Apache_Phoenix
    jdbcDriverClass = org.apache.phoenix.jdbc.PhoenixDriver
    connectionUrlFormat = jdbc:phoenix:localhost:2181:/hbase-unsecure
    validationDisabled=true

  • create a file called database.conf

  • create a database connection setting as per below

  • the password field is not used but expected by Splunk so just replicate the one below, same for the username (I have not tried removing the unnecessary fields yet)

    [root@ip-172-31-43-73 local]# cat database.conf

    [test1]
    database = a
    host = localhost
    isolation_level = DATABASE_SETTING
    password = enc:jw5zI9HoOE35gOa9+eRJsA==
    readonly = 1
    type = phoenix
    username = admin

Hopefully this should allow you to write queries to HBase from Splunk via Phoenix!!!

View solution in original post

Reply
Solved! Jump to solution
Solution

jhodge_splunk
Splunk Employee
Splunk Employee
‎10-21-2014 09:28 AM

Hi,

I have had brief go at getting this working on a single vm with HBase and Splunk co-located and it worked. Here are my notes

  • Install Apache Phoenix as per Phoenix interactions
  • Install splunk db connect

  • create a symbolic link to the phoenix jar in the dvx connect bin/lib directory

    [root@ip-172-31-43-73 lib]# pwd

    /opt/splunk/etc/apps/dbx/bin/lib

    [root@ip-172-31-43-73 lib]# ls -lh total 8.6M

    .....
    lrwxrwxrwx. 1 root root 53 Oct 11 15:31 phoenix.jar -> /usr/lib/phoenix/phoenix-4.0.0.2.1.5.0-695-client.jar
    .....

  • now navigate to the following directory

    [root@ip-172-31-43-73 local]# pwd

    /opt/splunkbeta/etc/apps/dbx/local

  • create an file called dataase_types.conf and put the following params

  • note that the connectionUrl must match the one for your environment

    [root@ip-172-31-43-73 local]# cat database_types.conf

    [phoenix]
    displayName = Apache_Phoenix
    jdbcDriverClass = org.apache.phoenix.jdbc.PhoenixDriver
    connectionUrlFormat = jdbc:phoenix:localhost:2181:/hbase-unsecure
    validationDisabled=true

  • create a file called database.conf

  • create a database connection setting as per below

  • the password field is not used but expected by Splunk so just replicate the one below, same for the username (I have not tried removing the unnecessary fields yet)

    [root@ip-172-31-43-73 local]# cat database.conf

    [test1]
    database = a
    host = localhost
    isolation_level = DATABASE_SETTING
    password = enc:jw5zI9HoOE35gOa9+eRJsA==
    readonly = 1
    type = phoenix
    username = admin

Hopefully this should allow you to write queries to HBase from Splunk via Phoenix!!!

Reply
Solved! Jump to solution

alexmc
Explorer
‎05-13-2015 08:55 AM

Would this solution work with Hunk, or just Splunk?

Cheers

0 Karma
Reply
Solved! Jump to solution

Ledion_Bitincka
Splunk Employee
Splunk Employee
‎05-13-2015 11:28 AM

It should work for Hunk too

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...