https://community.splunk.com/t5/Splunk-Search/dbquery-command-with-map-command/m-p/174126#M186592 <P>I figured out that using a subsearch ie [ ] is not ideal in most situations. Its better to use the map search="" notation and escape the quotes inside the quoted search=. </P> <P>Thus, this search works:</P> <P><CODE><BR /> index=log sourcetype=app_log "keyword" | rex "(?i)primary key: (?P<PRIMARY_KEY>[^ ]+)" | join type=outer host [ | inputlookup db_info.csv ] | dedup host, primary_key | fields SID, primary_key | map search="| dbquery $SID$ \"select column1, column2 from $SID$.table where _id = '$primary_key$'\"" | table column1, column2<BR /> </PRIMARY_KEY></CODE></P> <P>I also noticed that if you remove the last "table" command, and run it straight out, you wont see the result but Splunk displays results count. </P> Mon, 28 Sep 2020 17:22:02 GMT BP9906 2020-09-28T17:22:02Z https://community.splunk.com/t5/Splunk-Search/dbquery-command-with-map-command/m-p/174125#M186591 <P>Has anyone been able to use inputlookup with the map command to run multiple DB queries? </P> <P>When I run it, I get an error that dbquery doesnt understand database named $DATABASE$.<BR /> Definitely the inputlookup returns 1 column named "DATABASE" with the database names equal to the naming I put for the database name when I run the command manually. <BR /> Any ideas?<BR /><BR /> I found that "|append [ |dbquery ..." works too, but more than a few with a complex query makes it look like a scary splunk search. </P> <P>Thank you for your help.</P> <P><CODE><BR /> |inputlookup db.csv | map [ | dbquery "$DATABASE$" "select column1 from $DATABASE$.table1 where table1.last_updated_date &gt;= TRUNC(SYSDATE)" ]<BR /> </CODE></P> Mon, 28 Sep 2020 15:27:37 GMT https://community.splunk.com/t5/Splunk-Search/dbquery-command-with-map-command/m-p/174125#M186591 BP9906 2020-09-28T15:27:37Z https://community.splunk.com/t5/Splunk-Search/dbquery-command-with-map-command/m-p/174126#M186592 <P>I figured out that using a subsearch ie [ ] is not ideal in most situations. Its better to use the map search="" notation and escape the quotes inside the quoted search=. </P> <P>Thus, this search works:</P> <P><CODE><BR /> index=log sourcetype=app_log "keyword" | rex "(?i)primary key: (?P<PRIMARY_KEY>[^ ]+)" | join type=outer host [ | inputlookup db_info.csv ] | dedup host, primary_key | fields SID, primary_key | map search="| dbquery $SID$ \"select column1, column2 from $SID$.table where _id = '$primary_key$'\"" | table column1, column2<BR /> </PRIMARY_KEY></CODE></P> <P>I also noticed that if you remove the last "table" command, and run it straight out, you wont see the result but Splunk displays results count. </P> Mon, 28 Sep 2020 17:22:02 GMT https://community.splunk.com/t5/Splunk-Search/dbquery-command-with-map-command/m-p/174126#M186592 BP9906 2020-09-28T17:22:02Z