Introduction
Splunk DB Connect is a generic SQL database extension for Splunk that enables easy integration of database information with Splunk queries and reports. For more information, refer to the About Splunk DB Connect.
This guide provides complete documentation to integrate Splunk DB Connect with Snowflake for ingesting data from the User, Device, and Applications tables. It ensures reliable data ingestion, deduplication via checkpointing, and optimized performance.
Prerequisites
Splunk Enterprise (v8.2 or later)
Splunk DB Connect App (v3.18.2)
Splunk DBX Add-on for Snowflake JDBC (compatible with JRE environment)
OpenJDK 11 installed (for native memory operation support: Download link)
Snowflake read-only user with access to required tables: Steps
Whitelist Splunk IP in Snowflake account (if applicable)
Configuration Overview
Create the Snowflake Identity & grant necessary privileges (optional).
Install and set up Splunk DB Connect App from the Splunk Base.
Add configuration to setup Snowflake Connection using the app.
Setup input configuration to query Snowflake DB data & ingest it to Splunk indices.
Query Splunk indices & perform data validation.
Snowflake Login
Identity Creation
-- Step 1: Create custom role for Splunk integration
USE ROLE SECURITYADMIN;
CREATE OR REPLACE ROLE splunk_role;
-- Step 2: Grant warehouse access to the Splunk role
GRANT USAGE, OPERATE ON WAREHOUSE <MY_WH> TO ROLE splunk_role;
-- USAGE: Allows the role to use the warehouse
-- OPERATE: Allows the role to resume/suspend the warehouse
-- Step 3: Create Splunk DB Connect user with the role and warehouse
-- Force change temporary password on first login
USE ROLE SECURITYADMIN;
CREATE OR REPLACE USER SPLUNK_DB_USER
password = 'abcd1234'
must_change_password = true
default_warehouse = <MY_WH>
default_role = splunk_role;
-- Step 4: Assign the role to the user
GRANT ROLE splunk_role TO USER SPLUNK_DB_USER;
Grant Privileges
-- Grant database usage
GRANT USAGE ON DATABASE <MY_DB> TO ROLE splunk_role;
-- Grant schema usage
GRANT USAGE ON SCHEMA <MY_DB>.OCSF TO ROLE splunk_role;
-- Grant SELECT on required tables
GRANT SELECT ON TABLE <MY_DB>.OCSF.DEVICE TO ROLE splunk_role;
GRANT SELECT ON TABLE <MY_DB>.OCSF.USER TO ROLE splunk_role;
GRANT SELECT ON TABLE <MY_DB>.OCSF.APPLICATIONS TO ROLE splunk_role;
Key Points
If you are creating a provisioning script, make sure it's run by a Snowflake admin user with both SECURITYADMIN and SYSADMIN privileges
Replace <MY_WH> with the Snowflake Warehouse from which you want to query.
Replace <MY_DB> with the Snowflake Database you want to query.
Splunk Configuration
Login to the Splunkbase using your Splunk account credentials.
Download Splunk DB Connect and Splunk DBX Add-on for Snowflake JDBC, save them to a temporary location that you can access from your Splunk Enterprise instance.
Log in to Splunk Web, go to Apps > Manage Apps, then click Install app from file.
Choose file that you downloaded; splunk_app_db_connect-<version>.tgz and click Upload. Similarly, upload splunk-dbx-add-on-for-snowflake-jdbc_<version>.tgz file.
Navigate to Settings > Server controls under SYSTEM section.
Click on Restart Splunk.
Connection Setup
There are two steps to setup a new connection:
Create New Identity
Navigate to the Configuration > Databases > Identities tab and click New Identity > Basic Identity.
On the Settings tab, enter the following fields & click on Save:
Identity Name: Enter a name for the identity
Username: Enter the name of the database user you want to connect as.
Password: Enter the password for the user you entered in the Username field. (encrypted format)
NOTE: We are keeping the default role & permissions for this identity. Make sure that the database user has limited access to the data you want to query.
Create New Connection
Navigate to the Configuration > Databases > Connections tab & click on Select New Connection.
On the New Connection page, complete the following fields:
Connection name
Identity: Select the identity you created previously.
Connection Type: Select Snowflake from a list of supported databases.
Timezone: If you want to convert data of date and time types read from the database into the Splunk server's local time zone, enter the source database time zone for the conversion. Keep None.
Enable SSL: Leave unchecked, as SSL support is not available for Snowflake connection types.
JDBC URL Preview: Check Edit JDBC URL option and replace the host with your snowflake Account Identifier.
Connection Properties (optional): Splunk uses the provided properties during the creation of the connection.
user: select username for snowflake identity
password: select password for snowflake identity
warehouse: select snowflake warehouse
db: select snowflake database
schema: select schema to query (i.e. OCSF)
NOTE: Splunk doesn’t guarantee query restriction based on the above properties. Make sure your snowflake identity has restricted access.
Select Save to save the connection.
NOTE: If the connection you create is valid, you can save the connection successfully. Otherwise Splunk displays an error message for you to check the configuration of the connection and save it again.
DB Input Configuration
Create Index
Before proceeding to Data Input Configuration, create Splunk indexes for data output.
Navigate to Settings > Indexes under DATA section.
Click on New Index.
On the New Index window, add appropriate index name and click on Save to proceed with default general settings.
Create New input
In Splunk DB Connect, select Data Lab > Inputs and then New Input.
On the Set SQL Query page, complete the following steps and then select Next to go to the Set Properties page.
Choose table: Select the database table you want to use with this input.
Connection: Select the connection you created previously
Catalog: Select the snowflake db
Schema: Select the schema (i.e. CDP)
Table: Select the table to query (i.e. DEVICE/USER/APPLICATION)
Specify SQL query: Specify a query to run to retrieve data from your database.
SELECT * FROM <CATALOG>.<SCHEMA>.<TABLE> where active = true and end_time is null and |
Choose input mode: Specify the input mode as Event and related templates for this input.
Choose input type: Specify the input type and related settings of this input.
Input Type: Select input type as Rising
Rising Column: Select unique column for data checkpointing (i.e. ID)
Checkpoint Value: 0
Timestamp: Choose Column
Column: Select timestamp column to index the Splunk data (i.e. CREATED_TIME, START_TIME)
Query Timeout: Leave blank (Default: 30 seconds)
Execute Query: Click on Execute Query to review results before proceeding
On the Set Properties page, complete the following steps and then select Finish.
Basic information: Specify the name, description and the application of this input.
Name: Add data input name
Description: Add relevant description
Application: Choose Splunk DB Connect
Parameter settings: Configure the fetch size, execution frequency and max row to retrieve this input.
Max Rows to Retrieve: Keep blank (to achieve max performance)
Execution Frequency: Enter the number of seconds or a valid cron expression to execute query periodically (i.e. 60 seconds)
Metadata: Specify the metadata of this input, Splunk uses the value to index your data events.
Host: Keep blank (to use host defined on the connection)
Source: Add name to uniquely identify source per data input (i.e. snowflake:device_table)
Source Type: Add source type to structure data (i.e. snowflake:device)
Index: Add the destination index for input data (i.e. databee)
NOTE: Make sure that index exists, before proceeding to the Data Input Configuration.
Clone Input
From the Actions, choose Clone option to copy configuration and create New Input for each Snowflake table to query.
Choose Table & Verify below configurations to query USER data.
Similarly, verify the configurations below to query APPLICATION data.
Data Validation
Record count by SourceType
index=databee | stats count by sourcetype |
Query Device Records
index=databee sourcetype=snowflake:device |
Query User Records
index=databee sourcetype=snowflake:user |
Query Application Records
index=databee sourcetype=snowflake:application |
Troubleshooting Tips
If there is any error in Snowflake Connection Setup, verify that snowflake identity has enough access to query snowflake data for mentioned connection properties.
To verify the JDBC connection properties from the Snowflake, refer this.
If you encounter an "Invalid Connection" error and receive a Trace ID or error reference, click on Search to view detailed logs.
In case of any error related to JDBC driver or version compatibility, navigate to Configuration > Settings and verify below settings.
JRE Installation Path: Set as OpenJDK11 installed version (By default: JAVA_HOME env variable)
Drivers: Snowflake driver should be listed as installed