Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Splunk DB Connect Alternative
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello everyone!
My team and I are weighing our options for various ways to connect to our databases with Splunk; however, our main Splunk department does not have the DB Connect app installed. From what I've read, if the DB Connect app is installed on an intermediary Heavy Forwarder (setup strictly as a forwarder with no extraction), then the main Splunk instance must have it as well.
That is not the case with us, so we are looking for alternatives. Does anyone have an alternative to the DBX app? I know that the SQL Alchemy Python Library can connect to databases, but I'm not so sure how this would integrate with the Heavy Forwarder (Maybe through Python inputs?)
If anyone has any recommendations, please let me know!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Depending on your database, you may be able to use stored procedures to push data to Splunk via a TCP input. This way the data transfer could potentially be done on an event-driven basis (using a trigger, for instance) instead of a fixed schedule. An example of how to do that with Oracle can be found here: https://splunkbase.splunk.com/app/1538/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If all you want to do is run batch outputs, as in run a query on a schedule and output the results to Splunk, you only need DB Connect installed on a Heavy Forwarder. I suppose for optimal performance you might want to write a props.conf on the Heavy Forwarder to set an appropriate MAX_TIMESTAMP_LOOKAHEAD and so on for the sourcetype that you select, but the events use a key=value format that Splunk will be able to extract automatically without modification to the search head.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Depending on your database, you may be able to use stored procedures to push data to Splunk via a TCP input. This way the data transfer could potentially be done on an event-driven basis (using a trigger, for instance) instead of a fixed schedule. An example of how to do that with Oracle can be found here: https://splunkbase.splunk.com/app/1538/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you use Modular Inputs (http://docs.splunk.com/Documentation/Splunk/7.1.1/AdvancedDev/ModInputsIntro), or scripted inputs (http://docs.splunk.com/Documentation/Splunk/7.1.1/AdvancedDev/ScriptedInputsIntro)?
In pre DB Connect days I saw scripted inputs used in a Windows environment with batch files. A bit antiquated but it did work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This a great suggestion. We were considering using a Python script on our local machine to connect to the remote databases and store the information in them in a file to get forwarded to our main Splunk enterprise.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
