How to integrate Splunk with any data solution
Report
Julian HydeFollow
Sep. 14, 2012•0 likes•8,331 views
How to integrate Splunk with any data solution
Sep. 14, 2012•0 likes•8,331 views
Download to read offline
Report
Technology
A presentation Julian Hyde gave to the Splunk 2012 User conference in Las Vegas, Tue 2012/9/11. Julian demonstrated a new technology called Optiq, described how it could be used to integrate data in Splunk with other systems, and demonstrated several queries accessing data in Splunk via SQL and JDBC.
Julian HydeFollow
Recommended
Optiq: a SQL front-end for everythingJulian Hyde
Why is data independence (still) so important? Optiq and Apache Drill.Julian Hyde
SQL on Big Data using OptiqJulian Hyde
Drill / SQL / OptiqJulian Hyde
Apache Calcite Tutorial - BOSS 21Stamatis Zampetakis
Planning with Polyalgebra: Bringing Together Relational, Complex and Machine ...Julian Hyde
More Related Content
What's hot
What's new in Mondrian 4?Julian Hyde
SQL for NoSQL and how Apache Calcite can helpChristian Tzolov
SQL Now! How Optiq brings the best of SQL to NoSQL data.Julian Hyde
Mondrian update (Pentaho community meetup 2012, Amsterdam)Julian Hyde
Smarter Together - Bringing Relational Algebra, Powered by Apache Calcite, in...Julian Hyde
Apache Calcite: A Foundational Framework for Optimized Query Processing Over ...Julian Hyde
Viewers also liked
From Support to Success: How Splunk Evolved Its Success Services to Deliver M...Matthew Klassen
Splunk in integration testingAlbert Witteveen
SplunkLive! Splunk for IT OperationsSplunk
Splunk for NAC in YandexTimur Bagirov
Enrich a 360-degree Customer View with Splunk and Apache HadoopHortonworks
Driving Efficiency with Splunk Cloud at Gatwick AirportSplunk
Similar to How to integrate Splunk with any data solution
Spark Summit EU talk by Michael NitschingerSpark Summit
Projeto-web-services-Spring-Boot-JPA.pdfAdrianoSantos888423
Analytics Zoo: Building Analytics and AI Pipeline for Apache Spark and BigDL ...Databricks
Splunk Ninjas: New Features and Search DojoSplunk
SplunkLive! Tampa: Splunk Ninjas: New Features, Pivot, and Search Dojo Splunk
The Django Book - Chapter 5: ModelsSharon Chen
More from Julian Hyde
Cubing and Metrics in SQL, oh my!Julian Hyde
Adding measures to Calcite SQLJulian Hyde
Morel, a data-parallel programming languageJulian Hyde
Is there a perfect data-parallel programming language? (Experiments with More...Julian Hyde
Morel, a Functional Query LanguageJulian Hyde
The evolution of Apache Calcite and its CommunityJulian Hyde
Recently uploaded
Product Research Presentation-Maidy Veloso.pptxMaidyVeloso
Mule Meetup Calgary- API Governance & Conformance.pdfNithaJoseph4
Safe Community Call #12.pdfLornyPfeifer
Webhook Testing StrategyDimpy Adhikary
10 reasons to choose Galaxy Tab S9 for work on the goSamsung Business USA
Getting your enterprise ready for Microsoft 365 CopilotVignesh Ganesan I Microsoft MVP
How to integrate Splunk with any data solution
- 1. Copyright © 2012 Splunk Inc.
- 2. How to Integrate Splunk with any Data Solution Julian Hyde (Optiq) @julianhyde http://github.com/julianhyde/optiq http://github.com/julianhyde/optiq-splunk Splunk Worldwide Users Conference 2012
- 3. Why are we here? I'm going to explain how to use Splunk to access all of the data in your enterprise. And also to let people in your enterprise use data in Splunk. This isn't easy. We'll be showing some raw technology – the new Optiq project and its Splunk adapter. But it's open source, so you can all get your hands on it. :)
- 4. About me Database hacker Open source hacker Author of Mondrian (Pentaho Analysis) Startup fiend
- 7. “Big Data” Right data, right time Diverse data sources / Performance / Suitable format
- 8. Example Accessing Splunk data via SQL Sqlline (a standard JDBC client)
- 9. How do it (wrong) action = 'purchase' “search” Splunk Optiq filter SELECT “source”, “product_id” FROM “splunk”.”splunk” WHERE “action” = 'purchase'
- 10. How do it (right) “search action=purchase” Splunk Optiq SELECT “source”, “product_id” FROM “splunk”.”splunk” WHERE “action” = 'purchase'
- 11. Example #2 Combining data from 2 sources (Splunk & MySQL) Also possible: 3 or more sources; 3-way joins; unions
- 12. Expression tree SELECT p.“product_name”, COUNT(*) AS c FROM “splunk”.”splunk” AS s JOIN “mysql”.”products” AS p ON s.”product_id” = p.”product_id” WHERE s.“action” = 'purchase' GROUP BY p.”product_name” Splunk ORDER BY c DESC Table: splunk Key: product_name Key: product_id Agg: count Condition: Key: c DESC action = 'purchase' scan join MySQL filter group sort scan Table: products
- 13. Expression tree SELECT p.“product_name”, COUNT(*) AS c FROM “splunk”.”splunk” AS s (optimized) JOIN “mysql”.”products” AS p ON s.”product_id” = p.”product_id” WHERE s.“action” = 'purchase' GROUP BY p.”product_name” Splunk ORDER BY c DESC Condition: Table: splunk action = 'purchase' Key: product_name Agg: count Key: c DESC Key: product_id scan filter MySQL join group sort scan Table: products
- 14. Optiq is not a database.
- 17. Conventional database architecture JDBC client JDBC server SQL parser / validator Metadata Query optimizer Data-flow operators Data Data
- 18. Optiq architecture JDBC client JDBC server Optional SQL parser / Metadata validator SPI Core Query Pluggable optimizer rules 3rd 3rd Pluggable party party ops ops 3rd party 3rd party data data
- 19. What is Optiq? A really, really smart JDBC driver Framework Potential core of a data management system
- 20. Writing an adapter Driver – if you want a vanity URL like “jdbc:splunk:” Schema – describes what tables exist (Splunk has just one) Table – what are the columns, and how to get the data. (Splunk's table has any column you like... just ask for it.) Operators (optional) – non-relational operations Rules (optional, but recommended) – improve efficiency by changing the question Parser (optional) – to query via a language other than SQL
- 21. Splunk Adapter Rules for pushing down filters, projections The tricky bit: changed the validator to allow tables to have any column To be written: rules for pushing down aggregations, joins (What you've seen today is in github.) Would be really nice if... Splunk pushed down filters, projections, aggregations from its search pipeline to the MySQL connector. (Currently you have to hand-write a SQL statement.)
- 23. Optiq roadmap ideas Mondrian use Optiq to read from data sources such as Splunk Kettle integration (read/write SQL to ETL) Adapters: Cascading, MongoDB, Hbase, Apache Drill, …? Front-ends: linq4j, Scala SLICK, Java8 streams Contributions
- 24. Conclusions Liberate your data! Optiq is a framework Build & share Optiq adapters
- 26. Additional material: The following queries were used in the demo select s."source", s."sourcetype" select * from "mysql"."products"; from "splunk"."splunk" as s; select p."product_name", select s."source", s."sourcetype", s."action" s."action" from "splunk"."splunk" as s from "splunk"."splunk" as s where s."action" = 'purchase'; join "mysql"."products" as p on s."product_id" = p."product_id"; select s."source", s."sourcetype", s."action" from
Editor's Notes
- The obligatory “big data” definition slide. What is “big data”? It's not really about “big”. We need to access data from different parts of the organization, when we need it (which often means we don't have time to copy it), and the performance needs to be reasonable. If the data is large, it is often larger than the disks one can fit on one machine. It helps if we can process the data in place, leveraging the CPU and memory of the machines where the data is stored. We'd rather not copy it from one system to another. It needs to be flexible, to deal with diverse systems and formats. That often means that open source is involved. Some systems (e.g. reporting tools) can't easily be changed to accommodate new formats. So it helps if the data can be presented in standard formats, e.g. SQL.
- Demo connecting to Splunk via the Optiq driver. We aer using sqlline as the shell (it works with any JDBC driver). Se;ect “source” from “splunk”.”splunk” where “sourcetype=” = 'mysqld-4'; In the generated Java on the screen, Note how sourcetype is pushed down to Splunk.
- The wrong way to execute the query is for Splunk to send all of the data to Optiq. Splunk does more work than it needs to, it doesn't use any indexes, the network sends too much data, Optiq does too much work.
- The right way to execute the query is to pass the filter down to Splunk. This lets Splunk use its indexes, so it does less work, passes less data over the network, and the query finishes faster. This is just a simple answer, but a lot of problems can be solved by “pushing down” expressions, filters, computation of summaries. Do the work, and reduce the volume of data, as early in the process as possible.
- Demo connecting to Splunk via the Optiq driver. We aer using sqlline as the shell (it works with any JDBC driver). Se;ect “source” from “splunk”.”splunk” where “sourcetype=” = 'mysqld-4'; In the generated Java on the screen, Note how sourcetype is pushed down to Splunk.
- It's much more efficient if we psuh filters and aggregations to Splunk. But the user writing SQL shouldn't have to worry about that. This is not about processing data. This is about processing expressions. Reformulating the question. The question is the parse tree of a query. The parse tree is a data flow. In Splunk, a data flow looks like a pipeline of Linux commands. SQL systems have pipelines too (sometimes they are dataflow trees) built up of the basic relational operators. Think of the SQL SELECT, WHERE, JOIN, GROUP BY, ORDER BY clauses.
- It's much more efficient if we psuh filters and aggregations to Splunk. But the user writing SQL shouldn't have to worry about that. This is not about processing data. This is about processing expressions. Reformulating the question. The question is the parse tree of a query. The parse tree is a data flow. In Splunk, a data flow looks like a pipeline of Linux commands. SQL systems have pipelines too (sometimes they are dataflow trees) built up of the basic relational operators. Think of the SQL SELECT, WHERE, JOIN, GROUP BY, ORDER BY clauses.
- To recap. Optiq is not a database. It does as little of the database processing as it can get away with. Ideally, nothing at all. But what is it?
- Optiq is not a database... it is more like a telephone exchange. Applications can get the data they need, quickly and efficiently.
- Conventional database has ODBC/JDBC driver, SQL parser, . Data sources. Expression tree. Expression transformation rules. Optimizer. For NoSQL databases, the language may not be SQL, and the optimizer may be less sophisticated, but the picture is basically the same. For frameworks, such as Hadoop, there is no planner. You end up writing code (e.g MapReduce jobs).
- In Optiq, the query optimizer (we modestly call it the planner) is central. The JDBC driver/server and SQL parser are optional; skip them if you have another language. Plug-ins provide metadata (the schema), planner rules, and runtime operators. There are built-in relational operators and rules, and there are built-in operators implemented in Java. But to access data, you need to provide at least one operator.
- It needs to be said. Optiq is not a database. It looks like a database to your applications, and that's great. But when you want to integrate data from multiple sources, in different formats, and have those systems talk to each other, it doesn't force you to copy the data around. It gets out of your way. You configure Optiq by writing Java code. Therefore it is a framework, like Spring and, yes, like Hadoop. Optiq masquerades as a really, really smart JDBC driver. It has a SQL parser and JDBC driver. And actually you can embed it into another data management system, with a language other than SQL.