We have been tasked with obtaining audit log data from a vendor's cloud hosted application via a web service call. We have written Oracle PL/SQL to obtain the data and parse it. We now need a strategy for getting this data into a Splunk Enterprise instance. How can this be done in the simplest, most secure way with as few additional software add ins or components possible? We are looking into DB Connect and Universal Forwarder but need to be able to call the forwarder from PL/SQL or Linux based process or make the data available for Splunk Enterprise to come for it in tables or files via an automated process.
Hi @mdmartinez
To send Data from Oracle (PL/SQL) to Splunk, in "push" mode, and with no third parties involved, on the Splunk side use Splunk TCP Data Input.
https://docs.splunk.com/Documentation/Splunk/8.2.3/Data/Monitornetworkports
On the Oracle side (PL/SQL script or package/procedure) use Oracle package UTL_TCP. This package can be used to connect and write Oracle data to Splunk using Splunk's TCP Data Input.
https://docs.oracle.com/en/database/oracle/oracle-database/19/arpls/UTL_TCP.html#GUID-348AFFE8-78B2-...
At UTL_TCP the following subprograms are needed:
utl_tcp.open_connection
utl_tcp.write_line
utl_tcp.write_text
utl_tcp.close_connection
The Oracle "push" PL/SQL code logic can be implemented as PACKAGE/PROCEDURE that is called by an Oracle scheduler job. Must also take care for persisting the last processed value of the rising column (concept remains valid the same as for DB Connect).
regards
Altin
If the data is stored in an Oracle DB, DB Connect is the best option and you will not be needing a UF, as you would install DB connect on a Heavy Forwarder instance (preferred) or indexer and retrieve the data. See this document
https://docs.splunk.com/Documentation/DBX/3.2.0/DeployDBX/Installdatabasedrivers#Oracle
If the data is written to a file, you can setup a UF and modify the inputs.conf and outputs.conf.
- in the inputs, you specify a monitor stanza with the right sourcetype
- in the outputs, you specify the necessary certs and credentials to forward the data securely to the Splunk Indexer(s)