Replicate Multiple Splunk Accounts



Replicate multiple Splunk accounts to one or many databases.

CData Sync for Splunk is a stand-alone application that provides solutions for a variety of replication scenarios such as replicating sandbox and production instances into your database. Both Sync for Windows and Sync for Java include a command-line interface (CLI) that makes it easy to manage multiple Splunk connections. In this article we show how to use the CLI to replicate multiple Splunk accounts.

Configure Splunk Connections

You can save connection and email notification settings in an XML configuration file. To replicate multiple Splunk accounts, use multiple configuration files. Below is an example configuration to replicate Splunk to SQLite:

Windows

<?xml version="1.0" encoding="UTF-8" ?> <CDataSync> <DatabaseType>SQLite</DatabaseType> <DatabaseProvider>System.Data.SQLite</DatabaseProvider> <ConnectionString>user=MyUserName;password=MyPassword;URL=MyURL;</ConnectionString> <ReplicateAll>False</ReplicateAll> <NotificationUserName></NotificationUserName> <DatabaseConnectionString>Data Source=C:\my.db</DatabaseConnectionString> <TaskSchedulerStartTime>09:51</TaskSchedulerStartTime> <TaskSchedulerInterval>Never</TaskSchedulerInterval> </CDataSync>

Java

<?xml version="1.0" encoding="UTF-8" ?> <CDataSync> <DatabaseType>SQLite</DatabaseType> <DatabaseProvider>org.sqlite.JDBC</DatabaseProvider> <ConnectionString>user=MyUserName;password=MyPassword;URL=MyURL;</ConnectionString> <ReplicateAll>False</ReplicateAll> <NotificationUserName></NotificationUserName> <DatabaseConnectionString>Data Source=C:\my.db</DatabaseConnectionString> </CDataSync>

To authenticate requests, set the User, Password, and URL properties to valid Splunk credentials. The port on which the requests are made to Splunk is port 8089.

The data provider uses plain-text authentication by default, since the data provider attempts to negotiate TLS/SSL with the server.

If you need to manually configure TLS/SSL, see Getting Started -> Advanced Settings in the data provider help documentation.

Configure Queries for Each Splunk Instance

Sync enables you to control replication with standard SQL. The REPLICATE statement is a high-level command that caches and maintains a table in your database. You can define any SELECT query supported by the Splunk API. The statement below caches and incrementally updates a table of Splunk data:

REPLICATE DataModels;

You can specify a file containing the replication queries you want to use to update a particular database. Separate replication statements with semicolons. The following options are useful if you are replicating multiple Splunk accounts into the same database:

You can use a different table prefix in the REPLICATE SELECT statement:

REPLICATE PROD_DataModels SELECT * FROM DataModels

Alternatively, you can use a different schema:

REPLICATE PROD.DataModels SELECT * FROM DataModels

Run Sync

After you have configured the connection strings and replication queries, you can run Sync with the following command-line options:

Windows

SplunkSync.exe -g MyProductionSplunkConfig.xml -f MyProductionSplunkSync.sql

Java

java -Xbootclasspath/p:c:\sqlitejdbc.jar -jar SplunkSync.jar -g MyProductionSplunkConfig.xml -f MyProductionSplunkSync.sql

Ready to get started?

Learn more or sign up for a free trial:

CData Sync