How to connect and process Splunk data from Azure Databricks

Databricks is a cloud-based service that provides data processing capabilities through Apache Spark. When paired with the CData JDBC Driver, customers can use Databricks to perform data engineering and data science on live Splunk data. This article explains how to host the CData JDBC Driver in Azure, as well as connect to and process live Splunk data in Databricks.

With built-in optimized data processing, the CData JDBC driver offers unmatched performance for interacting with live Splunk data. When you issue complex SQL queries to Splunk, the driver pushes supported SQL operations, like filters and aggregations, directly to Splunk and utilizes the embedded SQL engine to process unsupported operations client-side (often SQL functions and JOIN operations). Its built-in dynamic metadata querying allows you to work with and analyze Splunk data using native data types.

Install the CData JDBC Driver in Azure

To work with live Splunk data in Databricks, install the driver through Azure Data Lake Storage (ADLS). (Please note that the method of connecting through DBFS, which previous versions of this article described, has been deprecated, but has not published an end-of-life.)

1. Upload the JDBC JAR file to a blob container of your choice (i.e. "jdbcjars" container of the "databrickslibraries" storage account).
2. Fetch the Account Key from the storage account by expanding "Security + networking" and clicking on "Access Keys". Show and copy whichever of the two keys you wish to use. 👁 Get Access Key
   
3. Get the JDBC JAR file's URL by navigating to Containers, opening the specific container storing the JAR, and selecting the entry for the JDBC JAR file. This should open the file's details, where there should be a convenient button to copy the URL button to clipboard. This value will look similar to the below, though the "blob" component may vary depending on storage account type:

   https://databrickslibraries.blob.core.windows.net/jdbcjars/cdata.jdbc.salesforce.jar

   👁 Get JAR URL
   
4. In the Configuration tab of your Databricks cluster, click on the Edit button and expand "Advanced options". From there, add the following Spark option (derived from the JAR URL's domain name) with your copied Account key as its value and click Confirm: spark.hadoop.fs.azure.account.key.databrickslibraries.blob.core.windows.net 👁 Apply Account Key
   
5. In the Libraries tab of your Databricks cluster, click on "Install new", and select the ADLS option. Specify the ABFSS URL for the driver JAR (also derived from the JAR URL's domain name), and click Install. The ABFSS URL should resemble the below:

   abfss://[email protected]/cdata.jdbc.salesforce.jar

   👁 Install ADLS Library
   

Connect to Splunk from Databricks

With the JAR file installed, we are ready to work with live Splunk data in Databricks. Start by creating a new notebook in your workspace. Name the workbook, make sure Python is selected as the language (which should be by default), click on Connect and under General Compute select the cluster where you installed the JDBC driver (should be selected by default).

👁 Attaching to an existing compute resource

Configure the Connection to Splunk

Connect to Splunk by referencing the class for the JDBC Driver and constructing a connection string to use in the JDBC URL. Additionally, you will need to set the property in the JDBC URL (unless you are using a Beta driver). You can view the licensing file included in the installation for information on how to set this property.

driver = "cdata.jdbc.splunk.SplunkDriver"
url = "jdbc:splunk:RTK=5246...;user=MyUserName;password=MyPassword;URL=MyURL;InitiateOAuth=GETANDREFRESH;"

Built-in Connection String Designer

For assistance in constructing the JDBC URL, use the connection string designer built into the Splunk JDBC Driver. Either double-click the JAR file or execute the JAR file from the command-line.

java -jar cdata.jdbc.splunk.jar

Fill in the connection properties and copy the connection string to the clipboard.

To authenticate requests, set the , , and properties to valid Splunk credentials. The port on which the requests are made to Splunk is port 8089.

The data provider uses plain-text authentication by default, since the data provider attempts to negotiate TLS/SSL with the server.

If you need to manually configure TLS/SSL, see Getting Started -> Advanced Settings in the data provider help documentation.

👁 Using the built-in connection string designer to generate a JDBC URL (Salesforce is shown.)

Load Splunk Data

Once the connection is configured, you can load Splunk data as a dataframe using the CData JDBC Driver and the connection information.

remote_table = spark.read.format ( "jdbc" ) \
	.option ( "driver" , driver) \
	.option ( "url" , url) \
	.option ( "dbtable" , "DataModels") \
	.load ()

Display Splunk Data

Check the loaded Splunk data by calling the display function.

display (remote_table.select ("Name"))

👁 Displaying Splunk Data

Analyze Splunk Data in Azure Databricks

If you want to process data with Databricks SparkSQL, register the loaded data as a Temp View.

remote_table.createOrReplaceTempView ( "SAMPLE_VIEW" )

The SparkSQL below retrieves the Splunk data for analysis.

result = spark.sql("SELECT Name, Owner FROM SAMPLE_VIEW")

The data from Splunk is only available in the target notebook. If you want to use it with other users, save it as a table.

remote_table.write.format ( "parquet" ) .saveAsTable ( "SAMPLE_TABLE" )

👁 Displaying Splunk Data

Download a free, 30-day trial of the CData JDBC Driver for Splunk and start working with your live Splunk data in Azure Databricks. Reach out to our Support Team if you have any questions.