All Apps and Add-ons

What underlying database Splunk uese to operate?

SomnathShilimka
Explorer

Hi All,
i am newbie in splunk, i searched over documentation and also over community. but i did not get answer for question in my mind.
Question is :- What database Splunk uses to work ? like Oracle or MySQL or PostgreSQL ?

i also read one already posted question as provided on below link
http://splunk-base.splunk.com/answers/32499/what-database-engine-splunk-uses

on same link, in answers it is written like below :-
I am not sure what is unclear to you in the previous answer. Splunk uses it's own engine, and does not rely on any external databases in order to operate. It manages its own database via a series of flat files and indexes, and Damien has provided a few good resources for you to have an idea on how the data engine works.

does it means Splunk do not use any database like Oracle or MySQL etc ?

thanks & regards,
Somnath

Tags (1)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

alt text

0 Karma

bspargur1
New Member

Haha, that was an awesome pic. 🙂

0 Karma

stanwin
Contributor

Thats a biiiiig bucket 😄

0 Karma

bspargur1
New Member

You are looking specifically at the indexes. The kvstores are the mongodb. Do you have reference to how the Splunk generated alerts are stored?

0 Karma

bspargur1
New Member

I understand indexing but that is not the only place or way the Splunk stores data.

0 Karma

bspargur1
New Member

There are the indexes which are flat files. The lookups are csv files or mongodb. The alerts require relationships and are also stored in a DB but I can't recall off hand if it is mysql or mongodb. I think it is mysql.

0 Karma

nickhills
Ultra Champion

nope, mysql is not used inside splunk .
the kvstore is mongo, but again this is not used by splunk for anykind of relationship mapping or storage.\
The kvstore is provided for splunk applications to use not for splunk per se.

If my comment helps, please give it a thumbs up!

bspargur1
New Member

When you configure alerts in Splunk, where are they stored? How is the relationship to the event data that was used to generate the alert stored? 🙂

Splunk uses the mongodb to store data becasue csv files suck as they start to get large. I have always been curious why they used a json structured db over just using their flat file structure of the indexes with the mappings built in. Maybe because it is good and already existed?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Indeed, no separate relational DB. The data structure underneath is Splunk-built.

martin_mueller
SplunkTrust
SplunkTrust

There is no separate product underneath, it's been built by Splunk.

SomnathShilimka
Explorer

Hi Martin_mueller
thanks for reply, i know for splunk no need of separate DB, what i want to know is :- what is name of that Splunk-built database(data structure) ?

Regards,
Somnath

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...