Sending Data from Database To Splunk with the help of DB Connect (DBX–section 2)

Sending Data from Database To Splunk with the help of DB Connect (DBX–section 2)

This post will explain how to form input in the “Splunk-DB-Connect” application & get more out of a Splunk database.

Making an “Input” at “Splunk-DB-Connect” application

Step one

Move to the “Inputs” page, & click on the “New-Input” button.

Step one 6 

Step two

Set the SQL Query,

Step two 5

Connection: Choose the connection which you need to use with this input.

Catalog: Choose Catalog if it’s accessible

Schema: Choose Schema from a database.

Table: Exploration for table/click on the table name and the contents which you require to index Splunk.

SQL Editor

With this, you will use it to directly write SQL queries, as with your requirement.

Input Type

  • Splunk Add-on to Microsoft SQL-Server
  • Splunk Add-on to Oracle-Database
  • Splunk Add-on to McAfee
  • Splunk-Add-on to Nagios Core

We aren’t using a template with this example.

The Input Type offers 2 kinds of input

Batch

SQL query operates at its schedule & collects every output of a query. This occurs all the time when the SQL query runs. Thus, there are greater probabilities of indexing matching data.

Rising

Eliminating the data duplicate problem, you will choose a column from a table that will be used for incremental data-ingestion. Splunk will keep track of columns allowing you to understand how far the data has already been ingested. For instance, if you have a “timestamp” column like a rising column the timestamps will always be increasing.

Timestamp

One can decide if he/she needs to have a current timestamp or timestamp column for a table to be displayed as an event timestamp at Splunk.

Click the “Next” button to go forward to input configuration.

Step three

Set Properties

Step three 4

 

Name: Offer a distinct name to this input.

Description: Though it’s optional, you need to put a small description of what the input does to assist you/others.

Application: choose the application context to this input automatically “Splunk-DB-Connect”.

Max-rows retrieved: One specify maximum-number of rows-to-index, every time a query executes, defaults to infinite.

Fetch size: You need to specify the number of rows you need to get from a database at some given time. It defaults to three hundred.

Remember a single query operation can have numerous fetch cycles. This depends on the number of rows that are retrieved.

Execution Frequency: One can set time-interval(s) in seconds and the query needs to run and you can write CRON Expression.

Host: Though optional, you can give a host, if one needs to override the default value.

Source: Though optional, give a source if one needs to override the default value.

Sourcetype: Offers sourcetype for the input.

Index: Offers index name, where data from the input needs to be stored.

After all that, you need to get a “Done” pop-up message screen as displayed below.

pop up message screen

Step four

After that open a Search Head. At the search-box key in “index=oracle_db” to view the data, that’s coming from the database. You will see database table-name as a source of the data.

Step four 5 

Moreover, one can use “SQL-Explorer” to experiment/test SQL queries before using them to make inputs/outputs, etc.

Terry White

Terry White is a professional Drupal & WordPress developer, Web developer, Web designer, Software Engineer, and Blogger. He strives for pixel-perfect design, clean robust code, and a user-friendly interface. If you have a project in mind and like his work, feel free to contact him

View all posts by Terry White →