Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Sending audit log data to Splunk from PL/SQL
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sending audit log data to Splunk from PL/SQL
We have been tasked with obtaining audit log data from a vendor's cloud hosted application via a web service call. We have written Oracle PL/SQL to obtain the data and parse it. We now need a strategy for getting this data into a Splunk Enterprise instance. How can this be done in the simplest, most secure way with as few additional software add ins or components possible? We are looking into DB Connect and Universal Forwarder but need to be able to call the forwarder from PL/SQL or Linux based process or make the data available for Splunk Enterprise to come for it in tables or files via an automated process.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @mdmartinez
To send Data from Oracle (PL/SQL) to Splunk, in "push" mode, and with no third parties involved, on the Splunk side use Splunk TCP Data Input.
https://docs.splunk.com/Documentation/Splunk/8.2.3/Data/Monitornetworkports
On the Oracle side (PL/SQL script or package/procedure) use Oracle package UTL_TCP. This package can be used to connect and write Oracle data to Splunk using Splunk's TCP Data Input.
https://docs.oracle.com/en/database/oracle/oracle-database/19/arpls/UTL_TCP.html#GUID-348AFFE8-78B2-...
At UTL_TCP the following subprograms are needed:
utl_tcp.open_connection
utl_tcp.write_line
utl_tcp.write_text
utl_tcp.close_connection
The Oracle "push" PL/SQL code logic can be implemented as PACKAGE/PROCEDURE that is called by an Oracle scheduler job. Must also take care for persisting the last processed value of the rising column (concept remains valid the same as for DB Connect).
regards
Altin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the data is stored in an Oracle DB, DB Connect is the best option and you will not be needing a UF, as you would install DB connect on a Heavy Forwarder instance (preferred) or indexer and retrieve the data. See this document
https://docs.splunk.com/Documentation/DBX/3.2.0/DeployDBX/Installdatabasedrivers#Oracle
If the data is written to a file, you can setup a UF and modify the inputs.conf and outputs.conf.
- in the inputs, you specify a monitor stanza with the right sourcetype
- in the outputs, you specify the necessary certs and credentials to forward the data securely to the Splunk Indexer(s)
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
