https://community.splunk.com/t5/Splunk-Search/Iterate-through-dbxquery-SQL-results/m-p/609985#M212113 <P>Thanks for taking the time to respond&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp; !<BR /><BR />Great, and if I wanted to take that col1 value and say, include it in an evaluated field called description, how would I compile that?<BR /><BR />e.g. below just produces col1 as plain text, rather than the actual value from the query<BR /><BR />| eval Description="col1"." - "."This alert monitors Juice"</P> Thu, 18 Aug 2022 13:50:42 GMT lukenorthern 2022-08-18T13:50:42Z https://community.splunk.com/t5/Splunk-Search/Iterate-through-dbxquery-SQL-results/m-p/609977#M212107 <P>Hello<BR /><BR />I have a search which is gathering 8 columns from a table. (below)<BR /><BR />I want to make col1 available to query against later in the SPL. I tried to access via "rename query.col1 as col1" for example but the data does not seem to appear, almost as if query.col1 is not valid? Can't find any info on how to remedy this elsewhere on the site, apologies if this has been asked before. The query returns 1 row.<BR /><BR /></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="csharp">| dbxquery query="Select col1,col2,col3,col4,col5,col6,col7,col8 from JuiceTable where col1 = 'special value'" connection="Juice-Prod" | stats count as total | eval Status=case(total=0,"Healthy",total &gt; 0, "Critical")</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN><BR /><BR /><BR /></SPAN></P> Thu, 18 Aug 2022 14:07:39 GMT https://community.splunk.com/t5/Splunk-Search/Iterate-through-dbxquery-SQL-results/m-p/609977#M212107 lukenorthern 2022-08-18T14:07:39Z https://community.splunk.com/t5/Splunk-Search/Iterate-through-dbxquery-SQL-results/m-p/609983#M212111 <P>The stats command will reduce the event pipeline to a single event with one field (total). If you want more fields, you will have to modify the stats command</P><LI-CODE lang="markup">| stats count as total by col1</LI-CODE><P>However, this will give you an event (row) for each value of col1, not the total number of events.</P><P>Alternatively, you could filter the events before the stats command</P><LI-CODE lang="markup">| where col1="some value" | stats count as total</LI-CODE> Thu, 18 Aug 2022 13:43:21 GMT https://community.splunk.com/t5/Splunk-Search/Iterate-through-dbxquery-SQL-results/m-p/609983#M212111 ITWhisperer 2022-08-18T13:43:21Z https://community.splunk.com/t5/Splunk-Search/Iterate-through-dbxquery-SQL-results/m-p/609985#M212113 <P>Thanks for taking the time to respond&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/225168">@ITWhisperer</a>&nbsp; !<BR /><BR />Great, and if I wanted to take that col1 value and say, include it in an evaluated field called description, how would I compile that?<BR /><BR />e.g. below just produces col1 as plain text, rather than the actual value from the query<BR /><BR />| eval Description="col1"." - "."This alert monitors Juice"</P> Thu, 18 Aug 2022 13:50:42 GMT https://community.splunk.com/t5/Splunk-Search/Iterate-through-dbxquery-SQL-results/m-p/609985#M212113 lukenorthern 2022-08-18T13:50:42Z https://community.splunk.com/t5/Splunk-Search/Iterate-through-dbxquery-SQL-results/m-p/609986#M212114 <LI-CODE lang="markup">| eval Description=col1." - This alert monitors Juice"</LI-CODE><P>If you real col1 contains special characters, then wrap it in single (not double) quotes</P><LI-CODE lang="markup">| eval Description='col1'." - This alert monitors Juice"</LI-CODE> Thu, 18 Aug 2022 13:53:59 GMT https://community.splunk.com/t5/Splunk-Search/Iterate-through-dbxquery-SQL-results/m-p/609986#M212114 ITWhisperer 2022-08-18T13:53:59Z https://community.splunk.com/t5/Splunk-Search/Iterate-through-dbxquery-SQL-results/m-p/609987#M212115 <P>The field names are the same as the column names.&nbsp; No rename is needed.&nbsp; In this example, it's just "col1".</P><P>"query" is the name of an argument to the <FONT face="courier new,courier">dbxquery</FONT> command.&nbsp; It's not an object.</P> Thu, 18 Aug 2022 13:54:24 GMT https://community.splunk.com/t5/Splunk-Search/Iterate-through-dbxquery-SQL-results/m-p/609987#M212115 richgalloway 2022-08-18T13:54:24Z