How to integrate Splunk with Apache Airflow

Apache Airflow supports the creation, scheduling, and monitoring of data engineering workflows. When paired with the CData JDBC Driver for Splunk, Airflow can work with live Splunk data. This article describes how to connect to and query Splunk data from an Apache Airflow instance and store the results in a CSV file.

With built-in optimized data processing, the CData JDBC driver offers unmatched performance for interacting with live Splunk data. When you issue complex SQL queries to Splunk, the driver pushes supported SQL operations, like filters and aggregations, directly to Splunk and utilizes the embedded SQL engine to process unsupported operations client-side (often SQL functions and JOIN operations). Its built-in dynamic metadata querying allows you to work with and analyze Splunk data using native data types.

Configuring the Connection to Splunk

Built-in Connection String Designer

For assistance in constructing the JDBC URL, use the connection string designer built into the Splunk JDBC Driver. Either double-click the JAR file or execute the jar file from the command-line.

java -jar cdata.jdbc.splunk.jar

Fill in the connection properties and copy the connection string to the clipboard.

To authenticate requests, set the , , and properties to valid Splunk credentials. The port on which the requests are made to Splunk is port 8089.

The data provider uses plain-text authentication by default, since the data provider attempts to negotiate TLS/SSL with the server.

If you need to manually configure TLS/SSL, see Getting Started -> Advanced Settings in the data provider help documentation.

👁 Using the built-in connection string designer to generate a JDBC URL (splunk is shown.)

To host the JDBC driver in clustered environments or in the cloud, you will need a license (full or trial) and a Runtime Key (RTK). For more information on obtaining this license (or a trial), contact our sales team.

The following are essential properties needed for our JDBC connection.

Establishing a JDBC Connection within Airflow

1. Log into your Apache Airflow instance.
2. On the navbar of your Airflow instance, hover over Admin and then click Connections. 👁 Clicking connections
   
3. Next, click the + sign on the following screen to create a new connection.
4. In the Add Connection form, fill out the required connection properties:
   • Connection Id: Name the connection, i.e.: splunk_jdbc
   • Connection Type: JDBC Connection
   • Connection URL: The JDBC connection URL from above, i.e.: jdbc:splunk:RTK=5246...;user=MyUserName;password=MyPassword;URL=MyURL;InitiateOAuth=GETANDREFRESH;)
   • Driver Class: cdata.jdbc.splunk.SplunkDriver
   • Driver Path: PATH/TO/cdata.jdbc.splunk.jar
   👁 Add JDBC connection form
   
5. Test your new connection by clicking the Test button at the bottom of the form.
6. After saving the new connection, on a new screen, you should see a green banner saying that a new row was added to the list of connections: 👁 New connection added
   

Creating a DAG

A DAG in Airflow is an entity that stores the processes for a workflow and can be triggered to run this workflow. Our workflow is to simply run a SQL query against Splunk data and store the results in a CSV file.

1. To get started, in the Home directory, there should be an "airflow" folder. Within there, we can create a new directory and title it "dags". In here, we store Python files that convert into Airflow DAGs shown on the UI.
2. Next, create a new Python file and title it splunk_hook.py. Insert the following code inside of this new file:

   	import time
   	from datetime import datetime
   	from airflow.decorators import dag, task
   	from airflow.providers.jdbc.hooks.jdbc import JdbcHook
   	import pandas as pd
   
   	# Declare Dag
   	@dag(dag_id="splunk_hook", schedule_interval="0 10 * * *", start_date=datetime(2022,2,15), catchup=False, tags=['load_csv'])
   	
   	# Define Dag Function
   	def extract_and_load():
   	# Define tasks
   		@task()
   		def jdbc_extract():
   			try:
   				hook = JdbcHook(jdbc_conn_id="jdbc")
   				sql = """ select * from Account """
   				df = hook.get_pandas_df(sql)
   				df.to_csv("/{some_file_path}/{name_of_csv}.csv",header=False, index=False, quoting=1)
   				# print(df.head())
   				print(df)
   				tbl_dict = df.to_dict('dict')
   				return tbl_dict
   			except Exception as e:
   				print("Data extract error: " + str(e))
    
   		jdbc_extract()
    
   	sf_extract_and_load = extract_and_load()
   

3. Save this file and refresh your Airflow instance. Within the list of DAGs, you should see a new DAG titled "splunk_hook". 👁 New DAG added
   
4. Click on this DAG and, on the new screen, click on the unpause switch to make it turn blue, and then click the trigger (i.e. play) button to run the DAG. This executes the SQL query in our splunk_hook.py file and export the results as a CSV to whichever file path we designated in our code. 👁 Run the DAG
   
5. After triggering our new DAG, we check the Downloads folder (or wherever you chose within your Python script), and see that the CSV file has been created - in this case, account.csv. 👁 CSV created
   
6. Open the CSV file to see that your Splunk data is now available for use in CSV format thanks to Apache Airflow. 👁 CSV file with Splunk data.
   

More Information & Free Trial

Download a free, 30-day trial of the CData JDBC Driver for Splunk and start working with your live Splunk data in Apache Airflow. Reach out to our Support Team if you have any questions.