How to work with Splunk Data in Apache Spark using SQL

Apache Spark is a fast and general engine for large-scale data processing. When paired with the CData JDBC Driver for Splunk, Spark can work with live Splunk data. This article describes how to connect to and query Splunk data from a Spark shell.

The CData JDBC Driver offers unmatched performance for interacting with live Splunk data due to optimized data processing built into the driver. When you issue complex SQL queries to Splunk, the driver pushes supported SQL operations, like filters and aggregations, directly to Splunk and utilizes the embedded SQL engine to process unsupported operations (often SQL functions and JOIN operations) client-side. With built-in dynamic metadata querying, you can work with and analyze Splunk data using native data types.

Install the CData JDBC Driver for Splunk

Download the CData JDBC Driver for Splunk installer, unzip the package, and run the JAR file to install the driver.

Start a Spark Shell and Connect to Splunk Data

1. Open a terminal and start the Spark shell with the CData JDBC Driver for Splunk JAR file as the jars parameter: $ spark-shell --jars /CData/CData JDBC Driver for Splunk/lib/cdata.jdbc.splunk.jar
2. With the shell running, you can connect to Splunk with a JDBC URL and use the SQL Context load() function to read a table.

   To authenticate requests, set the User, Password, and URL properties to valid Splunk credentials. The port on which the requests are made to Splunk is port 8089.

   The data provider uses plain-text authentication by default, since the data provider attempts to negotiate TLS/SSL with the server.

   If you need to manually configure TLS/SSL, see Getting Started -> Advanced Settings in the data provider help documentation.

   Built-in Connection String Designer

   For assistance in constructing the JDBC URL, use the connection string designer built into the Splunk JDBC Driver. Either double-click the JAR file or execute the jar file from the command-line.

   java -jar cdata.jdbc.splunk.jar

   Fill in the connection properties and copy the connection string to the clipboard.

   Configure the connection to Splunk, using the connection string generated above.

   scala> val splunk_df = spark.sqlContext.read.format("jdbc").option("url", "jdbc:splunk:user=MyUserName;password=MyPassword;URL=MyURL;").option("dbtable","DataModels").option("driver","cdata.jdbc.splunk.SplunkDriver").load()
3. Once you connect and the data is loaded you will see the table schema displayed.

4. Register the Splunk data as a temporary table:

   scala> splunk_df.registerTable("datamodels")

5. Perform custom SQL queries against the Data using commands like the one below:

   scala> splunk_df.sqlContext.sql("SELECT Name, Owner FROM DataModels WHERE Id = SampleDataset").collect.foreach(println)

   You will see the results displayed in the console, similar to the following:

Using the CData JDBC Driver for Splunk in Apache Spark, you are able to perform fast and complex analytics on Splunk data, combining the power and utility of Spark with your data. Download a free, 30 day trial of any of the 200+ CData JDBC Drivers and get started today.