Connect to Splunk as an External Data Source using PolyBase

Ready to get started?

Download for a free trial:

Download Now

Learn more:

Splunk ODBC Driver

The Splunk ODBC Driver is a powerful tool that allows you to connect with live Splunk, directly from any applications that support ODBC connectivity.

Access Splunk like you would a database - read, write, and update Datamodels, Datasets, SearchJobs, etc. through a standard ODBC Driver interface.

Use the CData ODBC Driver for Splunk and PolyBase to create an external data source in SQL Server 2019 with access to live Splunk data.

PolyBase for SQL Server allows you to query external data by using the same Transact-SQL syntax used to query a database table. When paired with the CData ODBC Driver for Splunk, you get access to your Splunk data directly alongside your SQL Server data. This article walks through creating an external data source and external tables to grant access to live Splunk data using T-SQL queries.

The CData ODBC drivers offer unmatched performance for interacting with live Splunk data using PolyBase due to optimized data processing built into the driver. When you issue complex SQL queries from SQL Server to Splunk, the driver pushes down supported SQL operations, like filters and aggregations, directly to Splunk and utilizes the embedded SQL engine to process unsupported operations (often SQL functions and JOIN operations) client-side. And with PolyBase, you can also join SQL Server data with Splunk data, using a single query to pull data from distributed sources.

Connect to Splunk

If you have not already, first specify connection properties in an ODBC DSN (data source name). This is the last step of the driver installation. You can use the Microsoft ODBC Data Source Administrator to create and configure ODBC DSNs. To create an external data source in SQL Server using PolyBase, configure a System DSN (CData Splunk Sys is created automatically).

To authenticate requests, set the User, Password, and URL properties to valid Splunk credentials. The port on which the requests are made to Splunk is port 8089.

The data provider uses plain-text authentication by default, since the data provider attempts to negotiate TLS/SSL with the server.

If you need to manually configure TLS/SSL, see Getting Started -> Advanced Settings in the data provider help documentation.

Click "Test Connection" to ensure that the DSN is connected to Splunk properly. Navigate to the Tables tab to review the table definitions for Splunk.

Create an External Data Source for Splunk Data

After configuring the connection, you need to create a master encryption key and a credential database for the external data source.

Creating a Master Encryption Key

Execute the following SQL command to create a new master key, 'ENCRYPTION,' to encrypt the credentials for the external data source.


Creating a Credential Database

Execute the following SQL command to create credentials for the external data source connected to Splunk data.

NOTE: IDENTITY and SECRET correspond with the User and Password properties for Splunk.

WITH IDENTITY = 'username', SECRET = 'password';

Create an External Data Source for Splunk

Execute the following SQL command to create an external data source for Splunk with PolyBase, using the DSN and credentials configured earlier.

For Splunk, set SERVERNAME to 'localhost' or '' and leave PORT empty. PUSHDOWN is set to ON by default, meaning the ODBC Driver can leverage server-side processing for complex queries.

  CREDENTIAL = splunk_creds

Create External Tables for Splunk

After creating the external data source, use CREATE EXTERNAL TABLE statements to link to Splunk data from your SQL Server instance. The table column definitions must match those exposed by the CData ODBC Driver for Splunk. You can refer to the Tables tab of the DSN Configuration Wizard to see the table definition.

Sample CREATE TABLE Statement

The statement to create an external table based on a Splunk DataModels would look similar to the following:

  Name [nvarchar](255) NULL,
  Owner [nvarchar](255) NULL,
) WITH ( 

Having created external tables for Splunk in your SQL Server instance, you are now able to query local and remote data simultaneously. Thanks to built-in query processing in the CData ODBC Driver, you know that as much query processing as possible is being pushed to Splunk, freeing up local resources and computing power. Download a free, 30-day trial of the ODBC Driver for Splunk and start working with live Splunk data alongside your SQL Server data today.