All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Creating a dataset to search in instead of searching in outside DB

matansocher
Contributor
‎03-23-2017 08:02 AM

Since in the query below splunk is seaching in outside database, the search takes a lot of time to show results.

| dbquery "MPS" "SELECT * FROM MPS.MPS_MILESTONE WHERE (Design_Element_Name='IPA') AND Report_Milestone!=' ' AND ProjectName='Accelerator_cores'"

Executing that query in the search gives me a result table.
How can i export the result table into a dataset so i can search it with no need to get to the db every time I make a search?

thank you

Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-23-2017 08:11 AM

You can dump it to a CSV file by adding this:

| outputcsv MyCSV

Then you get at it like this:

| inputcsv MyCSV

If this is large, you may cause problems by cluttering up your dispatch directory
You can dump it to a KVStore by setting up a collection and then adding this:

| outputlookup MyKVStoreLookup

Then you get at it like this:

| inputlookup MyKVStoreLookup

You can dump it to a summary index like this:

| eval MySpecialField=MySpecialValue | collect MySummaryIndexName

Then you get at it like this:

index=MySummaryIndexName MySpecialField=MySpecialValue

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-23-2017 08:11 AM

You can dump it to a CSV file by adding this:

| outputcsv MyCSV

Then you get at it like this:

| inputcsv MyCSV

If this is large, you may cause problems by cluttering up your dispatch directory
You can dump it to a KVStore by setting up a collection and then adding this:

| outputlookup MyKVStoreLookup

Then you get at it like this:

| inputlookup MyKVStoreLookup

You can dump it to a summary index like this:

| eval MySpecialField=MySpecialValue | collect MySummaryIndexName

Then you get at it like this:

index=MySummaryIndexName MySpecialField=MySpecialValue
Reply
Solved! Jump to solution

DalJeanis
Legend
‎03-23-2017 09:25 AM

shouldn't that be ...

 | inputlookup MyKVStoreLookup
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-23-2017 11:46 AM

Quite correct. Fixed now. Thank you for the oversight.

Reply
Solved! Jump to solution

matansocher
Contributor
‎03-23-2017 08:17 AM

could not ask for better answer and any faster.

thank you very much!!!!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk MCP & Agentic AI: Machine Data Without Limits

  Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization ...

Finding Based Detections General Availability

Overview  We’ve come a long way, folks, but here in Enterprise Security 8.4 I’m happy to announce Finding ...

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Hands-On Learning and Technical Seminars  Sometimes, you just need to see the code. For those looking for a ...