1. Copyright © 2013 Splunk Inc.
Raanan Dagan
May 2013
Splunk Big Data
Architectural Patterns:
Hadoop and Database

2. Agenda
• Architectural Patterns - Splunk and Hadoop
• Hadoop Connect Demo
• Architectural Patterns - Splunk and Database
• DB Connect Demo

3. 3
Developer
Platform
Report
and
analyze
Custom
dashboards
Monitor
and alert
Ad hoc
search
SQL
Splunk Hadoop Connect
• Reliable bi-directional
integration to Hadoop
Splunk DB Connect
• Real-time integration
to relational DBs
Splunk: A Platform for Big Data Integration

4. Architectural Patterns
Splunk and Hadoop

5. 5
Splunk Hadoop Connect
Delivers reliable integration
between Splunk and Hadoop
Export events to Hadoop
Explore and Browse Hadoop
directories
Import and Index Hadoop data
into Splunk

6. Hadoop Connect: 3 Patterns
Splunk then
Hadoop
1
Hadoop then
Splunk
Combination and
Search
Commands
2 3
6

7. Splunk then Hadoop
Splunk Ingest and provides: Real-time Analytics, End-user
Security and Visualization
7
Splunk for
Analytics
Data Sources Hadoop for
ETL

8. Hadoop Connect - Export
8
1. Splunk forwarders move data to an
indexer
2. Search head stream data into a local
directory
3. Periodically Splunk compresses the file
and puts it into the HDFS directory
(location set by users)

9. Hadoop Connect: 3 Patterns
9
Splunk then
Hadoop
1
Hadoop then
Splunk
Combination and
Search
Commands
2 3

10. Hadoop then Splunk
10
Splunk for
Analytics
Data Sources Hadoop for
ETL
Hadoop Ingest. Splunk provides Interactive
Analytics, End-user Security, and Visualization

11. Hadoop Connect – Import and Index
11
1. Splunk detects any updated or new file
in the HDFS directory
2. Splunk imports the data into Splunk
indexers
3. In Splunk you can apply access controls
to the data as well as search, report and
visualize your data

12. Hadoop Connect: 3 Patterns
12
Splunk then
Hadoop
1
Hadoop then
Splunk
Combination and
Search
Commands
2 3

13. Splunk for
Analytics
Data Sources
Hadoop for
ETL
• Splunk and Hadoop Share
the data
• Splunk for real-time
Analytics
• Hadoop for ETL
Data flows in both directions
13

14. Hadoop Connect – Explore
Enables Splunk to browse and navigate
HDFS directories and files from the Splunk
search head user interface
Explore User interface wraps ‘hdfs lsr’ and
‘hdfs read’
14
| hdfs read hdfs://kiru-demo-01.sv.splunk.com:9000/home/HadoopConnect/twitter/File1.gz
| hdfs lsr hdfs://kiru-demo-01.sv.splunk.com:9000/home/HadoopConnect/twitter/

15. Splunk Hadoop Connect
Demo

16. Architectural Patterns
Splunk and Database

17. Splunk DB Connect
Enrich search results with additional
business context
Easily import data into Splunk for
deeper analysis
Integrate multiple DBs concurrently
Simple set-up, non-evasive and secure
Reliable, scalable, real-time
integration between Splunk and
traditional relational databases
Microsoft SQL
Server
JDBC
Database
Lookup
Database
Query
Connection
Pooling
Other
Databases
Oracle
Database
Java Bridge Server
17

18. DB Connect: 3 Patterns
18
Database Lookup
1
Import Database
Tables
Search
Commands
2 3

19. 19
Media Server
Logs
(Machine Data)
Mar 01 19:18:50:000 aaa2 radiusd[12548]:[ID 959576 local1.info] INFO RADOP(13) acct start for 2172618992@splunktel.com
10.164.232.181 from 12.130.60.5 recorded OK.
2013-03-01 19:18:50:150 10.2.1.34 GET /sync/addtolibrary/01011207201000005652000000000053 - 80 - 10.164.232.181 "Mozilla/5.0
(iPhone; CPU iPhone OS 5_0_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A405 Safari/7534.48.3"
503 0 0 825 1680
Mar 01 19:18:50:163 aaa2 radiusd[12548]:[ID 959576 local1.info] INFO RADOP(13) acct stop for 2172618992@splunktel.com
10.164.232.181 from 12.130.60.5 recorded OK.
Track ID Artist Title Format ID Run time
01011207201000005652000000000053 Maroon 5 Moves like Jagger MP3 4:30
Phone # Subscriber ID
2172618992 53546
Subscriber
ID
First Name Last Name Age State Customer
Score
53546 Jim Morrison 25 CA 93
Customer,
Product
Databases
Phone Number IP Address Track ID
Enrich Machine Data with additional Business Context
DB Connect – Database Lookup

20. DB Connect – Database Lookup
20
1. Use ‘lookup’ in Splunk Search
2. Keys are sent from Splunk to Databases (Product ID)
3. Values are returned if Keys are matched (Product Name, Product Price)
SQL
KEYS
VALUES

21. DB Connect: 3 Patterns
21
Database Lookup
1
Import Database
Tables
Search
Commands
2 3

22. DB Connect - Import Database Table
22
Provide deeper analysis
Machine
Data
Machine
Data
Machine
Data
RDBMS

23. DB Connect – Import Database Table
23
Two input types can be used to import rows from the database:
• Tail = Bring only new or updated rows
• Dump = Bring entire table
SQL
Import

24. DB Connect: 3 Patterns
24
Database Lookup
1
Import Database
Tables
Search
Commands
2 3

25. Splunk Search Language Extensions
Execute database queries directly from the Splunk user interface with
new Dbquery and Dbinfo Splunk search commands
25
*** DBoutput (BETA) - Create or Update database records on information Splunk searches

26. DB Connect – Search Commands
26
1. Use SQL-92 or Stored Procedures with DBQuery
2. Database Info user interface wraps DBinfo and DBquery commands
SQL
QUERY
RESULTS

27. Splunk DB Connect
Demo
27

28. Summary
28
Splunk and Hadoop:
– Splunk provides real-time analysis, visualization, and security
– Hadoop provides parallel ETL or batch computation
Splunk and Database:
– Enrich search results with additional business context
– Import data into Splunk for deeper analysis

29. Questions
Raanan Dagan
rdagan@splunk.com