I am using Splunk for the last few months, Recently have installed the DBConnect App and also able to connect Oracle and MySQL databases. But i am unable to figure out what advantage Splunk is giving over the currently available database monitoring tools in the market. All documentation is talking about Combining unstructured data & structured data. Can anybody explain giving any scenario using unstructured data and database data to get valuable insights taking say Oracle DB as example.
Hi pradiptam, so much of this depends on your own environment, and what you care about. As an answer, I think you'll have a better idea as you explore the various commands that the Splunk Processing Language has to offer. Essentially, to the extent that your databases have valuable data in them, you can index that data in Splunk and use it like any other datasource - to leverage the SPL against in order to deliver insights.
The key idea here is that this becomes more useful if you have a way of incorporating other data sources that correlate to the DB sources. Maybe trending web traffic against DB usage? It will vary depending on the data, but I think paying attention to this idea of tying together otherwise disparate sources is where you will find value.
Another approach as to where the DB connect app in particular offers value is that it lets you index data otherwise unavailable to Splunk. One of the primary ways of getting data into Splunk is a simple file monitor. Some apps don't log to the filesystem and instead log to Databases. The DB connect gives Splunk an avenue to getting those events in as well.
DB Connect has relatively nothing to do with monitoring relational databases. DB Connect will not tell you if a database is healthy, or if the transaction load is too high, or if a query is running long because of a poorly designed execution plan. This is not its area of expertise. You may be able to use it for these purposes with a lot of help in the form of queries against catalog, snapshot, and performance schemas. But this is not really its purpose.
The main purpose of DB connect is to make data that is in relational DBs available for use in Splunk. To give you an example, suppose you have a website that provides a shopping cart. That website is backed by an Oracle Database to provide the inventory of items that can be purchased on your site as well as a user directory of users. You are using Splunk to monitor the website's logs to track user activity on your website.
Your website logs have lots of references to things like user ID's and product IDs in the web server logs, but you need to be able to tie that to additional information (like a product description or a user email address) within Splunk. Using DB connect, you can make a "DB Lookup" that transparently links data from your web server logs to related data within Oracle.
You have now used DB Connect to take your unstructured data (web server logs) and enrich that information with structured data (Oracle DB queries) in a way that adds additional context and usefulness to your unstructured data. This is one of the larger use cases for DB Connect.