All Apps and Add-ons

Splunk DB Connect Alternative

thomastaylor
Communicator

Hello everyone!

My team and I are weighing our options for various ways to connect to our databases with Splunk; however, our main Splunk department does not have the DB Connect app installed. From what I've read, if the DB Connect app is installed on an intermediary Heavy Forwarder (setup strictly as a forwarder with no extraction), then the main Splunk instance must have it as well.

That is not the case with us, so we are looking for alternatives. Does anyone have an alternative to the DBX app? I know that the SQL Alchemy Python Library can connect to databases, but I'm not so sure how this would integrate with the Heavy Forwarder (Maybe through Python inputs?)

If anyone has any recommendations, please let me know!

0 Karma
1 Solution

pmdba
Builder

Depending on your database, you may be able to use stored procedures to push data to Splunk via a TCP input. This way the data transfer could potentially be done on an event-driven basis (using a trigger, for instance) instead of a fixed schedule. An example of how to do that with Oracle can be found here: https://splunkbase.splunk.com/app/1538/

View solution in original post

0 Karma

jtacy
Builder

If all you want to do is run batch outputs, as in run a query on a schedule and output the results to Splunk, you only need DB Connect installed on a Heavy Forwarder. I suppose for optimal performance you might want to write a props.conf on the Heavy Forwarder to set an appropriate MAX_TIMESTAMP_LOOKAHEAD and so on for the sourcetype that you select, but the events use a key=value format that Splunk will be able to extract automatically without modification to the search head.

0 Karma

pmdba
Builder

Depending on your database, you may be able to use stored procedures to push data to Splunk via a TCP input. This way the data transfer could potentially be done on an event-driven basis (using a trigger, for instance) instead of a fixed schedule. An example of how to do that with Oracle can be found here: https://splunkbase.splunk.com/app/1538/

0 Karma

RHASQaL
Path Finder

Could you use Modular Inputs (http://docs.splunk.com/Documentation/Splunk/7.1.1/AdvancedDev/ModInputsIntro), or scripted inputs (http://docs.splunk.com/Documentation/Splunk/7.1.1/AdvancedDev/ScriptedInputsIntro)?

In pre DB Connect days I saw scripted inputs used in a Windows environment with batch files. A bit antiquated but it did work.

0 Karma

thomastaylor
Communicator

This a great suggestion. We were considering using a Python script on our local machine to connect to the remote databases and store the information in them in a file to get forwarded to our main Splunk enterprise.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...