All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Creating a dataset to search in instead of searching in outside DB

matansocher
Contributor
‎03-23-2017 08:02 AM

Since in the query below splunk is seaching in outside database, the search takes a lot of time to show results.

| dbquery "MPS" "SELECT * FROM MPS.MPS_MILESTONE WHERE (Design_Element_Name='IPA') AND Report_Milestone!=' ' AND ProjectName='Accelerator_cores'"

Executing that query in the search gives me a result table.
How can i export the result table into a dataset so i can search it with no need to get to the db every time I make a search?

thank you

Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-23-2017 08:11 AM

You can dump it to a CSV file by adding this:

| outputcsv MyCSV

Then you get at it like this:

| inputcsv MyCSV

If this is large, you may cause problems by cluttering up your dispatch directory
You can dump it to a KVStore by setting up a collection and then adding this:

| outputlookup MyKVStoreLookup

Then you get at it like this:

| inputlookup MyKVStoreLookup

You can dump it to a summary index like this:

| eval MySpecialField=MySpecialValue | collect MySummaryIndexName

Then you get at it like this:

index=MySummaryIndexName MySpecialField=MySpecialValue

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-23-2017 08:11 AM

You can dump it to a CSV file by adding this:

| outputcsv MyCSV

Then you get at it like this:

| inputcsv MyCSV

If this is large, you may cause problems by cluttering up your dispatch directory
You can dump it to a KVStore by setting up a collection and then adding this:

| outputlookup MyKVStoreLookup

Then you get at it like this:

| inputlookup MyKVStoreLookup

You can dump it to a summary index like this:

| eval MySpecialField=MySpecialValue | collect MySummaryIndexName

Then you get at it like this:

index=MySummaryIndexName MySpecialField=MySpecialValue
Reply
Solved! Jump to solution

DalJeanis
Legend
‎03-23-2017 09:25 AM

shouldn't that be ...

 | inputlookup MyKVStoreLookup
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-23-2017 11:46 AM

Quite correct. Fixed now. Thank you for the oversight.

Reply
Solved! Jump to solution

matansocher
Contributor
‎03-23-2017 08:17 AM

could not ask for better answer and any faster.

thank you very much!!!!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...