All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk DB Connect: How to connect to a database and output data into a CSV file periodically for use in different searches?

lohit
Path Finder
‎06-17-2015 01:33 AM

Hi All ,

I want to connect to a database and output the data into a CSV file periodically. The output CSV file will then be used in different searches. I am not sure how to do it with Splunk DB Connect APP ? Any help ?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

maciep
Champion
‎06-17-2015 10:41 AM

We the same thing for a few lookups here. Here's a high-level approach (assuming dbconnect 1.x). I'm not sure at which points you may need further help because they're all going to require a certain understanding

  1. Create the database connection in dbconnect
  2. Using that connection, write a search using dbquery to get the results you want
  3. Once you're search is returning the data you want, pipe the results to the outputlookup command
  4. That command will create a lookup file for you that you can use in a search
  5. Create a lookup definition for the new lookup file
  6. Try using that lookup in a search using the lookup command
  7. If that works, then take your search (with the output lookup) and save it.
  8. Now schedule that saved search

So on that schedule, the search will run and update your lookup file.

Other things to consider:
1. App Context of where you want that lookup to live
2. Permissions for that lookup
3. Automatically run searches against the lookup?

One other note is that dbconnect will allows you to create database lookups as well. Meaning, instead of going through the process of writing to a csv on a schedule, you could just query the database directly every time you need to do a lookup. Obviously, that might put more stress on your database if those lookups would be run often.

View solution in original post

Reply
Solved! Jump to solution
Solution

maciep
Champion
‎06-17-2015 10:41 AM

We the same thing for a few lookups here. Here's a high-level approach (assuming dbconnect 1.x). I'm not sure at which points you may need further help because they're all going to require a certain understanding

  1. Create the database connection in dbconnect
  2. Using that connection, write a search using dbquery to get the results you want
  3. Once you're search is returning the data you want, pipe the results to the outputlookup command
  4. That command will create a lookup file for you that you can use in a search
  5. Create a lookup definition for the new lookup file
  6. Try using that lookup in a search using the lookup command
  7. If that works, then take your search (with the output lookup) and save it.
  8. Now schedule that saved search

So on that schedule, the search will run and update your lookup file.

Other things to consider:
1. App Context of where you want that lookup to live
2. Permissions for that lookup
3. Automatically run searches against the lookup?

One other note is that dbconnect will allows you to create database lookups as well. Meaning, instead of going through the process of writing to a csv on a schedule, you could just query the database directly every time you need to do a lookup. Obviously, that might put more stress on your database if those lookups would be run often.

Reply
Solved! Jump to solution

lohit
Path Finder
‎06-18-2015 01:00 AM

Awesum explanation maciep !! I followed ur steps but i am stuck in setup. "Java Bridge Server nor running". I read docs and it says your JAVA_HOME path. For some reason it is not set in my environment. So i did which java and it redirects me to /usr/bin/java which indeed is a sym link to /usr/java/default/bin/java, so in the DBConnect app i set up home to be /usr/java/default but to no avail.

Could you let me know where i am wrong !!

0 Karma
Reply
Solved! Jump to solution

maciep
Champion
‎06-18-2015 04:01 AM

I'm not sure how much I can help here. We have a team that manages our linux boxes for us, so I'm not sure how exactly java is installed. But if it does help, here is the path we're using in dbconnect, ultimately pointing to the jre directory:

/usr/lib/jvm/java-1.6.0-openjdk-1.6.0.0.x86_64/jre

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top