All Apps and Add-ons

Splunk DB Connect Alternative

thomastaylor
Communicator

Hello everyone!

My team and I are weighing our options for various ways to connect to our databases with Splunk; however, our main Splunk department does not have the DB Connect app installed. From what I've read, if the DB Connect app is installed on an intermediary Heavy Forwarder (setup strictly as a forwarder with no extraction), then the main Splunk instance must have it as well.

That is not the case with us, so we are looking for alternatives. Does anyone have an alternative to the DBX app? I know that the SQL Alchemy Python Library can connect to databases, but I'm not so sure how this would integrate with the Heavy Forwarder (Maybe through Python inputs?)

If anyone has any recommendations, please let me know!

0 Karma
1 Solution

pmdba
Builder

Depending on your database, you may be able to use stored procedures to push data to Splunk via a TCP input. This way the data transfer could potentially be done on an event-driven basis (using a trigger, for instance) instead of a fixed schedule. An example of how to do that with Oracle can be found here: https://splunkbase.splunk.com/app/1538/

View solution in original post

0 Karma

jtacy
Builder

If all you want to do is run batch outputs, as in run a query on a schedule and output the results to Splunk, you only need DB Connect installed on a Heavy Forwarder. I suppose for optimal performance you might want to write a props.conf on the Heavy Forwarder to set an appropriate MAX_TIMESTAMP_LOOKAHEAD and so on for the sourcetype that you select, but the events use a key=value format that Splunk will be able to extract automatically without modification to the search head.

0 Karma

pmdba
Builder

Depending on your database, you may be able to use stored procedures to push data to Splunk via a TCP input. This way the data transfer could potentially be done on an event-driven basis (using a trigger, for instance) instead of a fixed schedule. An example of how to do that with Oracle can be found here: https://splunkbase.splunk.com/app/1538/

0 Karma

RHASQaL
Path Finder

Could you use Modular Inputs (http://docs.splunk.com/Documentation/Splunk/7.1.1/AdvancedDev/ModInputsIntro), or scripted inputs (http://docs.splunk.com/Documentation/Splunk/7.1.1/AdvancedDev/ScriptedInputsIntro)?

In pre DB Connect days I saw scripted inputs used in a Windows environment with batch files. A bit antiquated but it did work.

0 Karma

thomastaylor
Communicator

This a great suggestion. We were considering using a Python script on our local machine to connect to the remote databases and store the information in them in a file to get forwarded to our main Splunk enterprise.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...