How to load Splunk data into Elasticsearch via Logstash

Elasticsearch is a popular distributed full-text search engine. By centrally storing data, you can perform ultra-fast searches, fine-tuning relevance, and powerful analytics with ease. Elasticsearch has a pipeline tool for loading data called "Logstash". You can use CData JDBC Drivers to easily import data from any data source into Elasticsearch for search and analysis.

This article explains how to use the CData JDBC Driver for Splunk to load data from Splunk into Elasticsearch via Logstash.

Using CData JDBC Driver for Splunk with Elasticsearch Logstash

• Install the CData JDBC Driver for Splunk on the machine where Logstash is running.
• The JDBC Driver will be installed at the following path (the year part, e.g. 20XX, will vary depending on the product version you are using). You will use this path later. Place this .jar file (and the .lic file if it's a licensed version) in Logstash.
  C:\Program Files\CData\CData JDBC Driver for Splunk 20XX\lib\cdata.jdbc.splunk.jar
  
• Next, install the JDBC Input Plugin, which connects Logstash to the CData JDBC driver. The JDBC Plugin comes by default with the latest version of Logstash, but depending on the version, you may need to add it.
  https://www.elastic.co/guide/en/logstash/5.4/plugins-inputs-jdbc.html
• Move the CData JDBC Driver’s .jar file and .lic file to Logstash's "/logstash-core/lib/jars/".

Sending Splunk data to Elasticsearch with Logstash

Now, let's create a configuration file for Logstash to transfer Splunk data to Elasticsearch.

• Write the process to retrieve Splunk data in the logstash.conf file, which defines data processing in Logstash. The input will be JDBC, and the output will be Elasticsearch. The data loading job is set to run at 30-second intervals.
• Set the CData JDBC Driver's .jar file as the JDBC driver library, configure the class name, and set the connection properties to Splunk in the form of a JDBC URL. The JDBC URL allows detailed configuration, so please refer to the product documentation for more specifics.

To authenticate requests, set the , , and properties to valid Splunk credentials. The port on which the requests are made to Splunk is port 8089.

The data provider uses plain-text authentication by default, since the data provider attempts to negotiate TLS/SSL with the server.

If you need to manually configure TLS/SSL, see Getting Started -> Advanced Settings in the data provider help documentation.

Executing data movement with Logstash

Now let's run Logstash using the created "logstash.conf" file.

 logstash-7.8.0\bin\logstash -f logstash.conf

A log indicating success will appear. This means the Splunk data has been loaded into Elasticsearch.

For example, let's view the data transferred to Elasticsearch in Kibana.

 GET splunk_table/_search
 {
 "query": {
 "match_all": {}
 }
 }

We have confirmed that the data is stored in Elasticsearch.

By using the CData JDBC Driver for Splunk with Logstash, it functions as a Splunk connector, making it easy to load data into Elasticsearch. Please try the 30-day free trial.