Splunk: Execute the same query on multiple datasources

Question

i have multiple dabatases (>100) with the identic structure. For business-monitoring, i have about 80 queries which check information in the database. Now, i want to execute each of this queries on each of this databases and load the result into splunk. In splunk, is it possible to define the >100 database-connections once and the 80 queries once and then make some "magic" step to execute each statement on each database? I don't want to create a new connection for each combination of database and query.

Answer 1

The only way Splunk has to connect to a database "itself" is via DB Connect (docs)

From Splunk's perspective, there is no way to connect to 100 databases without having unique connections to each.

So far as I know, there is no tool that will connect to more than one database without unique connections - that's something database servers enforce in transactional models.

That being said, if you have a way to enumerate all the databases you want to connect to, and a place to save the queries you want to run, you could build either a

• scripted-input add-on that could use your language of choice (whatever's available on the Splunk server(s)/endpoint(s) it's running on) to iterate through each database, run each query, and ship the results back to Splunk, or
• in similar fashion to the scripted-input option, write a script (or set of scripts) that would execute the queries in question against the databases you're targeting, and submit results to the HTTP Event Collector (HEC) (HL has a great write-up on HEC over here, and here's George Starcher's Python class for HEC)