I'm using Splunk Enterprise (licensed) and i want to connect to an external MongoDB to search data stored there. I don't to want to index any of this data.
- I don't have a Hunk license. Can i still use the Hunk App for MongoDB?
- Is it viable to use Splunk DB connect?
Already looked into some posts here but most are almost 2 years old and some of the answers are not really enlightening on a good way to achieve this.
Looking at your question i stumbled across this:
i have not tried to query a mongoDB with splunk, but just from reading the docs:
In addition to the supported databases that Splunk has tested and certified for use with DB Connect, you may also be able to use unsupported JDBC-compatible databases with Splunk DB Connect. You will need to provide the necessary JDBC drivers to add your own database types. For more information, see Install drivers for other databases.
I bet you can do the same with DBX 2 as referred in the pdf/answer above.
Maybe it helps
DB Connect is not intended for searching databases, it's intended to pull data into Splunk for indexing. It doesn't allow you to just query a database and display it in the Splunk WebUI.
@nnmiller Splunk DB Connect 2 allows querying of database to be displayed in Splunk Web UI through DB Lookups Operations. Advantage is that it will not add to daily indexing volume, however, it will impact performance of Database as they will be queried directly through Splunk.
Having said that MongoDB is not listed in supported DBs for DB Connect 2 app. http://docs.splunk.com/Documentation/DBX/latest/DeployDBX/Supporteddatabases
Hunk App for MongoDB seems to be only possibility for this. However, it is better to check with Splunk representatives on Licensing/cost.
The answer is simple and it's listed on the overview of the dbconnect app:
Splunk DB Connect is the best solution for working with databases from Splunk. It can help you quickly integrate structured data sources with your Splunk real-time machine data collection. Supports DB2/Linux, Informix, MemSQL, MySQL, AWS Aurora, Microsoft SQL Server, Oracle, PostgreSQL, AWS RedShift, SAP SQL Anywhere, Sybase ASE, Sybase IQ, and Teradata.
It wouldnt be too hard to write a custom search command to do this however. In fact, there is a curl command in "JKat's Toolkit" found here: https://splunkbase.splunk.com/app/3265/.
Such a command could be modified to search just mongodb but as I understand it, mongodb is just a RESTful / API driven DB store. You should be able to use that curl command just fine.
There isn't a
curl command in JKat's toolkit (
jkats-toolkit_006) since December 2016. There are only the commands
urlencode commands have moved to TA-Webtools (https://splunkbase.splunk.com/app/3420/).
I was working with the Unity JDBC driver ( http://www.unityjdbc.com/mongojdbc/mongo_jdbc.php ) and got DB Connect to work with MongoDB using this stanza
displayName = MongoDB2
serviceClass = com.splunk.dbx2.DefaultDBX2JDBC
jdbcUrlFormat = jdbc:mongodb:// < host > : < port > / < database >
jdbcDriverClass = mongodb.jdbc.MongoDriver
port = 27017
Sorry on the delay.. but haven't been around the place to test this! It works. Thanks
hi foloow the steps but still all searches return empty (and no collections return to the data lab )
How do you install jdbc drivers for mongodb? I copied jar file mongo-java-driver-3.7.1.jar to $SPLUNKHOME/etc/apps/splunkappdbconnect/drivers directory but I still see below errors. My DB connect version is 3.1.2
action=loaddrivers Can not load any driver from files [$SPLUNKHOME/etc/apps/splunkappdb_connect/drivers/mongo-java-driver-3.7.1.jar]