Replicate Splunk Data from PowerShell



The CData ODBC Driver for Splunk enables out-of-the-box integration with Microsoft's built-in support for ODBC. The ODBC driver instantly integrates connectivity to the real Splunk data with PowerShell.

You can use the .NET Framework Provider for ODBC built into PowerShell to quickly automate integration tasks like replicating Splunk data to other databases. This article shows how to replicate Splunk data to SQL Server in 5 lines of code.

You can also write PowerShell code to execute create, read, update, and delete (CRUD) operations. See the examples below.

Create an ODBC Data Source for Splunk

If you have not already, first specify connection properties in an ODBC DSN (data source name). This is the last step of the driver installation. You can use the Microsoft ODBC Data Source Administrator to create and configure ODBC DSNs.

To authenticate requests, set the , , and properties to valid Splunk credentials. The port on which the requests are made to Splunk is port 8089.

The data provider uses plain-text authentication by default, since the data provider attempts to negotiate TLS/SSL with the server.

If you need to manually configure TLS/SSL, see Getting Started -> Advanced Settings in the data provider help documentation.

Connect to Splunk

The code below shows how to use the DSN to initialize the connection to Splunk data in PowerShell:

$conn = New-Object System.Data.Odbc.OdbcConnection
$conn.ConnectionString = "DSN=CData Splunk Source x64"

Back Up Splunk Data to SQL Server

After you enable caching, you can use the code below to replicate data to SQL Server.

Set the following connection properties to configure the caching database:

• CacheProvider: The name of the ADO.NET provider. This can be found in the Machine.config for your version of .NET. For example, to configure SQL Server, enter System.Data.SqlClient.

• CacheConnection: The connection string of properties required to connect to the database. Below is an example for SQL Server:

  Server=localhost;Database=RSB;User Id=sqltest;Password=sqltest;

The SQL query in the example can be used to refresh the entire cached table, including its schema. Any already existing cache is deleted.

$conn.Open()
# Create and execute the SQL Query
$SQL = "CACHE DROP EXISTING SELECT * FROM " + $DataModels
$cmd = New-Object System.Data.Odbc.OdbcCommand($sql,$conn)
$count = $cmd.ExecuteNonQuery()
$conn.Close()

The driver gives you complete control over the caching functionality. See the help documentation for more caching commands and usage examples. See the help documentation for steps to replicate to other databases.

Other Operations

To retrieve Splunk data in PowerShell, call the Fill method of the OdbcDataAdapter method. To execute data manipulation commands, initialize the OdbcCommand object and then call ExecuteNonQuery. Below are some more examples CRUD commands to Splunk through the .NET Framework Provider for ODBC:

Retrieve Splunk Data

$sql="SELECT Name, Owner from DataModels"
 
$da= New-Object System.Data.Odbc.OdbcDataAdapter($sql, $conn)
$dt= New-Object System.Data.DataTable
$da.Fill($dt) 
 
$dt.Rows | foreach {
 $dt.Columns | foreach ($col in dt{
 Write-Host $1[$_]
 }
}

Update Splunk Data

$cmd = New-Object System.Data.Odbc.OdbcCommand("UPDATE DataModels SET Id='SampleDataset' WHERE Id = @myId", $conn)
$cmd.Parameters.Add(new System.Data.Odbc.OdbcParameter("myId","001d000000YBRseAAH")
$cmd.ExecuteNonQuery()

Insert Splunk Data

$cmd = New-Object System.Data.Odbc.OdbcCommand("INSERT INTO DataModels SET Id='SampleDataset' WHERE Id = @myId", $conn)
$cmd.Parameters.Add(new System.Data.Odbc.OdbcParameter("myId","001d000000YBRseAAH")
$cmd.ExecuteNonQuery()

Delete Splunk Data

$cmd = New-Object System.Data.Odbc.OdbcCommand("DELETE FROM DataModels WHERE Id = @myid", $conn)
$cmd.Parameters.Add(new System.Data.Odbc.OdbcParameter("myId","001d000000YBRseAAH")
$cmd.ExecuteNonQuery()