1. Copyright © 2013 Splunk Inc.
Tapan Bhatt / Raanan Dagan
May 2013
Splunk DB Connect:
Enrich Machine Data with
Structured Data

2. Agenda
Background and Overview
DB Connect Demo
Technical Overview
Customer Examples & Summary
Questions

3. Splunk: the Platform for Machine Data
3
Real-time Business Insights
Operational Visibility
Proactive Monitoring
Search and Investigation
Operational IntelligenceMachine Data

4. What about Structured Data?
4
Customer
Profile
Product
Attributes
Employee
Details
Pricing &
Rate Plans
Asset
Info

5. Machine Data – Delivers Real-time Insights
5
Media Server
Logs
(Machine Data)
Mar 01 19:18:50:000 aaa2 radiusd[12548]:[ID 959576 local1.info] INFO RADOP(13) acct start for 2172618992@splunktel.com
10.164.232.181 from 12.130.60.5 recorded OK.
2013-03-01 19:18:50:150 10.2.1.34 GET /sync/addtolibrary/01011207201000005652000000000053 - 80 - 10.164.232.181 "Mozilla/5.0
(iPhone; CPU iPhone OS 5_0_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A405 Safari/7534.48.3"
503 0 0 825 1680
Mar 01 19:18:50:163 aaa2 radiusd[12548]:[ID 959576 local1.info] INFO RADOP(13) acct stop for 2172618992@splunktel.com
10.164.232.181 from 12.130.60.5 recorded OK.
Phone Number IP Address
Track ID

6. Structured Data – Contains Business Context
6
Media Server
Logs
(Machine Data)
Mar 01 19:18:50:000 aaa2 radiusd[12548]:[ID 959576 local1.info] INFO RADOP(13) acct start for 2172618992@splunktel.com
10.164.232.181 from 12.130.60.5 recorded OK.
2013-03-01 19:18:50:150 10.2.1.34 GET /sync/addtolibrary/01011207201000005652000000000053 - 80 - 10.164.232.181 "Mozilla/5.0
(iPhone; CPU iPhone OS 5_0_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A405 Safari/7534.48.3"
503 0 0 825 1680
Mar 01 19:18:50:163 aaa2 radiusd[12548]:[ID 959576 local1.info] INFO RADOP(13) acct stop for 2172618992@splunktel.com
10.164.232.181 from 12.130.60.5 recorded OK.
Track ID Artist Title Format ID Run time
01011207201000005652000000000053 Maroon 5 Moves like Jagger MP3 4:30
Phone # Subscriber ID
2172618992 53546
Subscriber
ID
First Name Last Name Age State Customer
Score
53546 Jim Morrison 25 CA 93
Customer,
Product
Databases
Phone Number IP Address Track ID

7. Operational Dashboards with Business Context
7
Top TracksUser Activity
Click to investigate
Customer experience Download Errors
by device

8. Enrich Machine Data with Structured Data
8
Structured Databases
CSV Lookup
DB Connect
Launched March 2013

9. Introducing Splunk DB Connect
Enrich search results with additional
business context
Easily import data into Splunk for
deeper analysis
Integrate multiple DBs concurrently
Simple set-up, non-evasive and secure
Reliable, scalable, real-time
integration between Splunk and
traditional relational databases
Microsoft SQL
Server
JDBC
Database
Lookup
Database
Query
Connection
Pooling
Other
Databases
Oracle
Database
Java Bridge Server
9

10. Delivering Operational Intelligence
10
IT Operations Analytics
> Machine Data
Application
logs, monitoring data,
disk utilization
Operational Intelligence
Security AnalyticsFirewall logs, Radius
logs, Nessus vulnerability
Critical assets, watch-
lists, privileged user lists,
black-lists, device data
>
CMDB, asset
inventory, topology, user, c
ost and department
information
Structured Data
Business Analytics
Device activation,
Radius, application logs
Rate plans, customer
profile, geo location

11. Splunk DB Connect
Demo
11

12. Splunk DB Connect
Technical Overview

13. Splunk DB Connect: Main Features
Database Connection Management
SQL Database Lookups
Splunk Search Language extensions
– Database Query
– Database Info
SQL Database Input
13

14. Installing Splunk DB Connect
Simple app setup, no configuration files to touch
Automatically checks for the required Java version
14

15. Database Connection Management
Configure new database connection settings in minutes
from the Splunk user interface
15

16. Microsoft SQL
Server
JDBC
Database
Lookup
Database
Query
Connection
Pooling
Other
Databases
Oracle
Database
Java Bridge Server
Works with Many Databases
Supports mainstream databases
– Oracle Database
– Microsoft SQL Server
– MySQL
– PostgreSQL
– Sybase
– Generic JDBC support
Database connection pooling limits
load on Database
16

17. Database Lookups
17
Enrich machine data by adding structured data from
traditional relational databases

18. Three Steps to Enriching Machine Data
18
1. Connect
2. Configure
3. Enrich

19. Splunk Search Language Extensions
Execute database queries directly from the Splunk user interface with
new Dbquery and Dbinfo Splunk search commands
19
*** DBoutput (BETA) - Create or Update database records on information Splunk searches

20. Explore Database Structure
Wrapping
dbinfo and
dbquery
20
Browse and navigate database schemas and tables from the
Splunk DB Connect user interface

21. Import and Index Database Data
Combine machine data with structured data from relational databases
21
New dbmon-tail and dbmon-dump
input types can be used to import
rows from the database

22. Technical Summary
Quick to set-up, scales to multiple concurrent databases
Enrich machine data with database data in three easy steps
Execute SQL queries to visualize database data directly in the
Splunk user interface
Import and index database data for historical analysis and
correlation with machine data
22

23. Success Stories

24. Powering Search Analytics
24
Understanding customer
usage
Client Name,
Country, Email
Feed ID
SQL SQL SQL
= Client Databases contain
Client Name, Country and
Email information
Database
+
Machine
Data
= Search Activity tracked by
Feed ID

25. Enabling Exceptional Customer Service
25
Users to Customers
mapping
SQL SQL
User
Activity
= Customer details,
external/internal details
Database
+
Machine
Data
= User activity data from
SaaS application, websites
SaaS
Real-time visibility of
customer experience
Website

26. Powerful Connectivity Drives Better Insights
26
Developer
Platform
Report
and
analyze
Custom
dashboards
Monitor
and alert
Ad hoc
search
SQL
Splunk Hadoop Connect
• Reliable bi-directional
integration to Hadoop
Splunk DB Connect
• Real-time integration
to relational DBs
Splunk Dev Platform
• API and SDKs to build
Big Data apps

27. Summary
Machine data contains a categorical record of activity and
behavior
Enrich with structured data to provide business context – for
better IT, security and business insights
Splunk DB Connect delivers reliable, scalable, real-time
integration between Splunk and traditional relational databases
27

28. Questions
Tapan Bhatt
tbhatt@splunk.com
Raanan Dagan
rdagan@splunk.com