How to connect and process Splunk Data from Azure Databricks

Databricks is a cloud-based service that provides data processing capabilities through Apache Spark. When paired with the CData JDBC Driver, customers can use Databricks to perform data engineering and data science on live Splunk data. This article walks through hosting the CData JDBC Driver in Azure, as well as connecting to and processing live Splunk data in Databricks.

With built-in optimized data processing, the CData JDBC Driver offers unmatched performance for interacting with live Splunk data. When you issue complex SQL queries to Splunk, the driver pushes supported SQL operations, like filters and aggregations, directly to Splunk and utilizes the embedded SQL engine to process unsupported operations client-side (often SQL functions and JOIN operations). Its built-in dynamic metadata querying allows you to work with and analyze Splunk data using native data types.

Install the CData JDBC Driver in Azure

To work with live Splunk data in Databricks, install the driver on your Azure cluster.

1. Navigate to your Databricks administration screen and select the target cluster.
2. On the Libraries tab, click "Install New."
3. Select "Upload" as the Library Source and "Jar" as the Library Type.
4. Upload the JDBC JAR file (cdata.jdbc.splunk.jar) from the installation location (typically C:\Program Files\CData[product_name]\lib).

Connect to Splunk from Databricks

With the JAR file installed, we are ready to work with live Splunk data in Databricks. Start by creating a new notebook in your workspace. Name the notebook, select Python as the language (though Scala is available as well), and choose the cluster where you installed the JDBC driver. When the notebook launches, we can configure the connection, query Splunk, and create a basic report.

Configure the Connection to Splunk

Connect to Splunk by referencing the class for the JDBC Driver and constructing a connection string to use in the JDBC URL. Additionally, you will need to set the RTK property in the JDBC URL (unless you are using a Beta driver). You can view the licensing file included in the installation for information on how to set this property.

driver = "cdata.jdbc.splunk.SplunkDriver"
url = "jdbc:splunk:RTK=5246...;user=MyUserName;password=MyPassword;URL=MyURL;InitiateOAuth=GETANDREFRESH"

Built-in Connection String Designer

For assistance in constructing the JDBC URL, use the connection string designer built into the Splunk JDBC Driver. Either double-click the JAR file or execute the jar file from the command-line.

Fill in the connection properties and copy the connection string to the clipboard.

To authenticate requests, set the User, Password, and URL properties to valid Splunk credentials. The port on which the requests are made to Splunk is port 8089.

The data provider uses plain-text authentication by default, since the data provider attempts to negotiate TLS/SSL with the server.

If you need to manually configure TLS/SSL, see Getting Started -> Advanced Settings in the data provider help documentation.

Load Splunk Data

Once the connection is configured, you can load Splunk data as a dataframe using the CData JDBC Driver and the connection information.

remote_table = spark.read.format ( "jdbc" ) \
	.option ( "driver" , driver) \
	.option ( "url" , url) \
	.option ( "dbtable" , "DataModels") \
	.load ()

Display Splunk Data

Check the loaded Splunk data by calling the display function.

display (remote_table.select ("Name"))

Analyze Splunk Data in Azure Databricks

If you want to process data with Databricks SparkSQL, register the loaded data as a Temp View.

remote_table.createOrReplaceTempView ( "SAMPLE_VIEW" )

The SparkSQL below retrieves the Splunk data for analysis.

% sql

SELECT Name, Owner FROM DataModels

The data from Splunk is only available in the target notebook. If you want to use it with other users, save it as a table.

remote_table.write.format ( "parquet" ) .saveAsTable ( "SAMPLE_TABLE" )

Download a free, 30-day trial of the CData JDBC Driver for Splunk and start working with your live Splunk data in Azure Databricks. Reach out to our Support Team if you have any questions.