Import Splunk Data into Apache Solr

The Apache Solr platform is a popular, blazing-fast, open source enterprise search solution built on Apache Lucene.

Apache Solr is equipped with the Data Import Handler (DIH), which can import data from databases and, XML, CSV, and JSON files. When paired with the CData JDBC Driver for Splunk, you can easily import Splunk data to Apache Solr. In this article, we show step-by-step how to use CData JDBC Driver in Apache Solr Data Import Handler and import Splunk data for use in enterprise search.

Create an Apache Solr Core and a Schema for Importing Splunk

1. Run Apache Solr and create a Core. > solr create -c CDataCore For this article, Solr is running as a standalone instance in the local environment and you can access the core at this URL: http://localhost:8983/solr/#/CDataCore/core-overview
2. Create a schema consisting of "field" objects to represent the columns of the Splunk data to be imported and a unique key for the entity. LastModifiedDate, if it exists in Splunk, is used for incremental updates. If it does not exist, you cannot do the deltaquery in the later section. Save the schema in the managed-schema file created by Apache Solr.
SplunkUniqueKey
3. Install the CData Splunk JDBC Driver. Copy the JAR and license file (cdata.splunk.jar and cdata.jdbc.splunk.lic) to the Solr directory.
   
   • CData JDBC JAR file: C:\Program Files\CData\CData JDBC Driver for Splunk ####\lib
   • Apache Solr: solr-8.5.2\server\lib

Now we are ready to use Splunk data in Solr.

Define an Import of Splunk to Apache Solr

In this section, we walk through configuring the Data Import Handler.

1. Modify the Config file of the created Core. Add the JAR file reference and add the DIH RequestHander definition. <lib dir="${solr.install.dir:../../../..}/dist/" regex="solr-dataimporthandler-.*\.jar" /> <requestHandler name="/dataimport" class="org.apache.solr.handler.dataimport.DataImportHandler"> <lst name="defaults"> <str name="config">solr-data-config.xml</str> </lst> </requestHandler>
2. Next, create a solr-data-config.xml at the same level. In this article, we retrieve a table from Splunk, but you can use a custom SQL query to request data as well. The Driver Class and a sample JDBC Connection string are in the sample code below. <dataConfig> <dataSource driver="cdata.jdbc.splunk.SplunkDriver" url="jdbc:splunk:user=MyUserName;password=MyPassword;URL=MyURL;InitiateOAuth=GETANDREFRESH"> </dataSource> <document> <entity name="DataModels" query="SELECT Id,SplunkColumn1,SplunkColumn2,SplunkColumn3,SplunkColumn4,SplunkColumn5,SplunkColumn6,SplunkColumn7,LastModifiedDate FROM DataModels" deltaQuery="SELECT Id FROM DataModels where LastModifiedDate >= '${dataimporter.last_index_time}'" deltaImportQuery="SELECT Id,SplunkColumn1,SplunkColumn2,SplunkColumn3,SplunkColumn4,SplunkColumn5,SplunkColumn6,SplunkColumn7,LastModifiedDate FROM DataModels where Id=${dataimporter.delta.Id}"> <field column="Id" name="Id" ></field> <field column="SplunkColumn1" name="SplunkColumn1" ></field> <field column="SplunkColumn2" name="SplunkColumn2" ></field> <field column="SplunkColumn3" name="SplunkColumn3" ></field> <field column="SplunkColumn4" name="SplunkColumn4" ></field> <field column="SplunkColumn5" name="SplunkColumn5" ></field> <field column="SplunkColumn6" name="SplunkColumn6" ></field> <field column="SplunkColumn7" name="SplunkColumn7" ></field> <field column="LastModifiedDate" name="LastModifiedDate" ></field> </entity> </document> </dataConfig>
3. In the query section, set the SQL query that select the data from Splunk. deltaQuery and deltaImportquery define the ID and the conditions when using incremental updates from the second import of the same entity.
4. After all settings are done, restart Solr. > solr stop -all > solr start

Run a DataImport of Splunk Data.

1. Execute DataImport from the URL below:
   http://localhost:8983/solr/#/CDataCore/dataimport//dataimport
2. Select the "full-import" Command, choose the table from Entity, and click "Execute."
3. Check the result of the import from the Query.
4. Try an incremental update using deltaQuery. Modify some data in the original Splunk data set. Select the "delta-import" command this time from DataImport window and click "Execute."
5. Check the result of the incremental update.

Using the CData JDBC Driver for Splunk you are able to create an automated import of Splunk data into Apache Solr. Download a free, 30 day trial of any of the 200+ CData JDBC Drivers and get started today.