Deployment Architecture

how to push KVSTORE data from search head to SQL DB



Can any one help me in pushing KVstore data from Search head to SQL data base.
curently KV store data is on Searchhead and which has some technical issues , to over come that we are planed to move the kvstore to database. and i'm planing to create and push inputs.conf through app on search head.

please guide me how to proceed further and let me know what to do....

help will be appreciated ...

Tags (1)
0 Karma


So, what you are going to want to do is the following.

First, set up DB Connect on your Search Head.

Make sure you have configured DB Connect with an appropriate Java version and the right drivers for your DB.

Create identities for Splunk to use to access your SQL DB, then create the database connection.

SIDEBAR: Spend a few minutes in a regular old search working out how you want the data to come out. It'll likely be some variant of | inputlookup mylookupname followed perhaps by some fields or table commands. Remember this search, or save it off, or copy it into Notepad - something.

The last piece of prep to get into place is build a table in SQL for your data. You will have to look at your source data to figure out field types, sizes and so on. Make sure the user you set up in identities has permission to write to this table.

OK, now that we have all the plumbing in place we can get started.

Open up your DB connect app, go to DB Outputs and start following the output wizard. Most of this is pretty straightforward. You'll want to use the search you created in the sidebar above as your search, make sure to click on each field so they'll all be included in the output. Pick your destination server/schema/table and then assign fields as appropriate. Your execution frequency is, I believe, not important for your exact use case but since it is required, set it to something like 80000 seconds (that way you have nearly a whole day to finish the step below... 🙂 .

So save it and watch it run. Keep your eye on SQL until the data is all across. Once it is, go to your Splunk DB Connect outputs and disable the input. Since you are just moving data out once, you don't need it scheduled.

0 Karma



If this resolved your issue, could you please mark it Accepted?

If it did not, please post back with more information or what's not working right so we can help finish this up!

Happy Splunking,

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...