Discover how a bimodal integration strategy can address the major data management challenges facing your organization today.
Get the Report →Replicate Multiple Splunk Accounts
Replicate multiple Splunk accounts to one or many databases.
CData Sync for Splunk is a stand-alone application that provides solutions for a variety of replication scenarios such as replicating sandbox and production instances into your database. Both Sync for Windows and Sync for Java include a command-line interface (CLI) that makes it easy to manage multiple Splunk connections. In this article we show how to use the CLI to replicate multiple Splunk accounts.
Configure Splunk Connections
You can save connection and email notification settings in an XML configuration file. To replicate multiple Splunk accounts, use multiple configuration files. Below is an example configuration to replicate Splunk to SQLite:
Windows
<?xml version="1.0" encoding="UTF-8" ?>
<CDataSync>
<DatabaseType>SQLite</DatabaseType>
<DatabaseProvider>System.Data.SQLite</DatabaseProvider>
<ConnectionString>user=MyUserName;password=MyPassword;URL=MyURL;</ConnectionString>
<ReplicateAll>False</ReplicateAll>
<NotificationUserName></NotificationUserName>
<DatabaseConnectionString>Data Source=C:\my.db</DatabaseConnectionString>
<TaskSchedulerStartTime>09:51</TaskSchedulerStartTime>
<TaskSchedulerInterval>Never</TaskSchedulerInterval>
</CDataSync>
Java
<?xml version="1.0" encoding="UTF-8" ?>
<CDataSync>
<DatabaseType>SQLite</DatabaseType>
<DatabaseProvider>org.sqlite.JDBC</DatabaseProvider>
<ConnectionString>user=MyUserName;password=MyPassword;URL=MyURL;</ConnectionString>
<ReplicateAll>False</ReplicateAll>
<NotificationUserName></NotificationUserName>
<DatabaseConnectionString>Data Source=C:\my.db</DatabaseConnectionString>
</CDataSync>
To authenticate requests, set the User, Password, and URL properties to valid Splunk credentials. The port on which the requests are made to Splunk is port 8089.
The data provider uses plain-text authentication by default, since the data provider attempts to negotiate TLS/SSL with the server.
If you need to manually configure TLS/SSL, see Getting Started -> Advanced Settings in the data provider help documentation.
Configure Queries for Each Splunk Instance
Sync enables you to control replication with standard SQL. The REPLICATE statement is a high-level command that caches and maintains a table in your database. You can define any SELECT query supported by the Splunk API. The statement below caches and incrementally updates a table of Splunk data:
REPLICATE DataModels;
You can specify a file containing the replication queries you want to use to update a particular database. Separate replication statements with semicolons. The following options are useful if you are replicating multiple Splunk accounts into the same database:
You can use a different table prefix in the REPLICATE SELECT statement:
REPLICATE PROD_DataModels SELECT * FROM DataModels
Alternatively, you can use a different schema:
REPLICATE PROD.DataModels SELECT * FROM DataModels
Run Sync
After you have configured the connection strings and replication queries, you can run Sync with the following command-line options:
Windows
SplunkSync.exe -g MyProductionSplunkConfig.xml -f MyProductionSplunkSync.sql
Java
java -Xbootclasspath/p:c:\sqlitejdbc.jar -jar SplunkSync.jar -g MyProductionSplunkConfig.xml -f MyProductionSplunkSync.sql