Process & Analyze Splunk Data in Databricks (AWS)

Ready to get started?

Download for a free trial:

Download Now

Learn more:

Splunk JDBC Driver

Rapidly create and deploy powerful Java applications that integrate with Splunk data including Datamodels, Datasets, SearchJobs, and more!



Host the CData JDBC Driver for Splunk in AWS and use Databricks to perform data engineering and data science on live Splunk data.

Databricks is a cloud-based service that provides data processing capabilities through Apache Spark. When paired with the CData JDBC Driver, customers can use Databricks to perform data engineering and data science on live Splunk data. This article walks through hosting the CData JDBC Driver in AWS, as well as connecting to and processing live Splunk data in Databricks.

With built-in optimized data processing, the CData JDBC Driver offers unmatched performance for interacting with live Splunk data. When you issue complex SQL queries to Splunk, the driver pushes supported SQL operations, like filters and aggregations, directly to Splunk and utilizes the embedded SQL engine to process unsupported operations client-side (often SQL functions and JOIN operations). Its built-in dynamic metadata querying allows you to work with and analyze Splunk data using native data types.

Install the CData JDBC Driver in Databricks

To work with live Splunk data in Databricks, install the driver on your Databricks cluster.

  1. Navigate to your Databricks administration screen and select the target cluster.
  2. On the Libraries tab, click "Install New."
  3. Select "Upload" as the Library Source and "Jar" as the Library Type.
  4. Upload the JDBC JAR file (cdata.jdbc.splunk.jar) from the installation location (typically C:\Program Files\CData\CData JDBC Driver for Splunk\lib).

Access Splunk Data in your Notebook: Python

With the JAR file installed, we are ready to work with live Splunk data in Databricks. Start by creating a new notebook in your workspace. Name the notebook, select Python as the language (though Scala is available as well), and choose the cluster where you installed the JDBC driver. When the notebook launches, we can configure the connection, query Splunk, and create a basic report.

Configure the Connection to Splunk

Connect to Splunk by referencing the JDBC Driver class and constructing a connection string to use in the JDBC URL.

Step 1: Connection Information

driver = "cdata.jdbc.splunk.SplunkDriver"
url = "jdbc:splunk:user=MyUserName;password=MyPassword;URL=MyURL;InitiateOAuth=GETANDREFRESH"

Built-in Connection String Designer

For assistance in constructing the JDBC URL, use the connection string designer built into the Splunk JDBC Driver. Either double-click the JAR file or execute the jar file from the command-line.

java -jar cdata.jdbc.splunk.jar

Fill in the connection properties and copy the connection string to the clipboard.

To authenticate requests, set the User, Password, and URL properties to valid Splunk credentials. The port on which the requests are made to Splunk is port 8089.

The data provider uses plain-text authentication by default, since the data provider attempts to negotiate TLS/SSL with the server.

If you need to manually configure TLS/SSL, see Getting Started -> Advanced Settings in the data provider help documentation.

Load Splunk Data

Once you configure the connection, you can load Splunk data as a dataframe using the CData JDBC Driver and the connection information.

Step 2: Reading the data

remote_table = spark.read.format ( "jdbc" ) \
	.option ( "driver" , driver) \
	.option ( "url" , url) \
	.option ( "dbtable" , "DataModels") \
	.load ()

Display Splunk Data

Check the loaded Splunk data by calling the display function.

Step 3: Checking the result

display (remote_table.select ("Name"))

Analyze Splunk Data in Databricks

If you want to process data with Databricks SparkSQL, register the loaded data as a Temp View.

Step 4: Create a view or table

remote_table.createOrReplaceTempView ( "SAMPLE_VIEW" )

With the Temp View created, you can use SparkSQL to retrieve the Splunk data for reporting, visualization, and analysis.

% sql

SELECT Name, Owner FROM SAMPLE_VIEW ORDER BY Owner DESC LIMIT 5

The data from Splunk is only available in the target notebook. If you want to use it with other users, save it as a table.

remote_table.write.format ( "parquet" ) .saveAsTable ( "SAMPLE_TABLE" )

Download a free, 30-day trial of the CData JDBC Driver for Splunk and start working with your live Splunk data in Databricks. Reach out to our Support Team if you have any questions.