Deployment Architecture

how to push KVSTORE data from search head to SQL DB

cleelakrishna
Loves-to-Learn

Hi

Can any one help me in pushing KVstore data from Search head to SQL data base.
curently KV store data is on Searchhead and which has some technical issues , to over come that we are planed to move the kvstore to database. and i'm planing to create and push inputs.conf through app on search head.

please guide me how to proceed further and let me know what to do....

help will be appreciated ...

Tags (1)
0 Karma

Richfez
SplunkTrust
SplunkTrust

So, what you are going to want to do is the following.

First, set up DB Connect on your Search Head.

Make sure you have configured DB Connect with an appropriate Java version and the right drivers for your DB.

Create identities for Splunk to use to access your SQL DB, then create the database connection.

SIDEBAR: Spend a few minutes in a regular old search working out how you want the data to come out. It'll likely be some variant of | inputlookup mylookupname followed perhaps by some fields or table commands. Remember this search, or save it off, or copy it into Notepad - something.

The last piece of prep to get into place is build a table in SQL for your data. You will have to look at your source data to figure out field types, sizes and so on. Make sure the user you set up in identities has permission to write to this table.

OK, now that we have all the plumbing in place we can get started.

Open up your DB connect app, go to DB Outputs and start following the output wizard. Most of this is pretty straightforward. You'll want to use the search you created in the sidebar above as your search, make sure to click on each field so they'll all be included in the output. Pick your destination server/schema/table and then assign fields as appropriate. Your execution frequency is, I believe, not important for your exact use case but since it is required, set it to something like 80000 seconds (that way you have nearly a whole day to finish the step below... 🙂 .

So save it and watch it run. Keep your eye on SQL until the data is all across. Once it is, go to your Splunk DB Connect outputs and disable the input. Since you are just moving data out once, you don't need it scheduled.

0 Karma

Richfez
SplunkTrust
SplunkTrust

cleelakrishna,

If this resolved your issue, could you please mark it Accepted?

If it did not, please post back with more information or what's not working right so we can help finish this up!

Happy Splunking,
Rich

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...