Hi,
I am using Splunk Java SDK for developing an application in which splunk is used as database. I am aware that there is no perfect mapping between database and Splunk but there are analogs.
Please help map following analogs from database.
1. How to find data type and length of fields returned from the search?
2. What is the default data type that can be assigned to the field?
3. What can be the Maximum length/size of field?
4. Is there a unique identifier for events, similar to primary key we have in other database? What fields can be considered to be primary key for search events?
Is there API available in Splunk for implementing above things or please suggest alternate way to achieve this.
Please help.
Thanks in Advance,
Pravin Sanadi
I'm not sure an API exists to do what you're talking about. Field definitions are arbitrary in Splunk, and can even be defined in SPL at search runtime. Data types are effectively all "text" until you change them with an eval function. Everything is indexed by timestamp, and there are no constraints on unique data like you would expect in a relational database - events can be duplicated easily if source data is re-scanned, and there isn't any restriction on the number of events that can occur at a single point in time. Splunk is really designed to search and process data in time series; I'm not sure what your application is intended to do, but I don't think you can use Splunk as a transactional type relational database like you would mySQL or Oracle and expect it to work well.