topic how to write dbquery in search in Splunk Search

how to write dbquery in search

vikas_gopal — Wed, 19 Feb 2014 15:01:00 GMT

Hi guys,
Please help me to write a dbquery in search bar.I have the following dbquery
| dbquery "databasename" "select la,ba from abc" .
I want to type this query in search bar as
source=databasename sourcetype=tablename | fields la,ba

I tried but it says invalid source or sourcetype. Please help me to write dbquery in search bar so that Splunk can read it in it's own syntax .....

Re: how to write dbquery in search

martin_mueller — Wed, 19 Feb 2014 16:30:48 GMT

That's not going to work, Splunk cannot translate SPL into SQL.

What's wrong with using | dbquery databasename "SQL query"?

Re: how to write dbquery in search

vikas_gopal — Wed, 19 Feb 2014 17:42:02 GMT

Thanks Martin..in the first line you cleared my doubt and nothing is wrong with |dbquery it works absolutely fine but I am trying to understand the concept how indexing will work with DBconnect.Please correct me if I am wrong , as per my understanding Splunk will act as frontend app if we connect to database using DBConnect app Splunk won't do indexing of the data.If it does then how (I mean at what stage it indexes the data is it at the time of running the query or at the time of connecting database using DBconnect)

Re: how to write dbquery in search

vikas_gopal — Wed, 19 Feb 2014 18:09:32 GMT

FYI I build connection to oracle database with ODBC and in DBconeect I used "database connection in Splunk manager" option .

Re: how to write dbquery in search

martin_mueller — Wed, 19 Feb 2014 18:10:38 GMT

Running a piece of SQL through dbquery and indexing events from a database are two unrelated concepts, dbquery runs its SQL at search time, no indexing involved.

You can configure DBConnect to run SQL queries on a schedule and index their results, see http://docs.splunk.com/Documentation/DBX/latest/DeployDBX/Configuredatabasemonitoring for more info.