All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Creating a dataset to search in instead of searching in outside DB

matansocher
Contributor
‎03-23-2017 08:02 AM

Since in the query below splunk is seaching in outside database, the search takes a lot of time to show results.

| dbquery "MPS" "SELECT * FROM MPS.MPS_MILESTONE WHERE (Design_Element_Name='IPA') AND Report_Milestone!=' ' AND ProjectName='Accelerator_cores'"

Executing that query in the search gives me a result table.
How can i export the result table into a dataset so i can search it with no need to get to the db every time I make a search?

thank you

Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-23-2017 08:11 AM

You can dump it to a CSV file by adding this:

| outputcsv MyCSV

Then you get at it like this:

| inputcsv MyCSV

If this is large, you may cause problems by cluttering up your dispatch directory
You can dump it to a KVStore by setting up a collection and then adding this:

| outputlookup MyKVStoreLookup

Then you get at it like this:

| inputlookup MyKVStoreLookup

You can dump it to a summary index like this:

| eval MySpecialField=MySpecialValue | collect MySummaryIndexName

Then you get at it like this:

index=MySummaryIndexName MySpecialField=MySpecialValue

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-23-2017 08:11 AM

You can dump it to a CSV file by adding this:

| outputcsv MyCSV

Then you get at it like this:

| inputcsv MyCSV

If this is large, you may cause problems by cluttering up your dispatch directory
You can dump it to a KVStore by setting up a collection and then adding this:

| outputlookup MyKVStoreLookup

Then you get at it like this:

| inputlookup MyKVStoreLookup

You can dump it to a summary index like this:

| eval MySpecialField=MySpecialValue | collect MySummaryIndexName

Then you get at it like this:

index=MySummaryIndexName MySpecialField=MySpecialValue
Reply
Solved! Jump to solution

DalJeanis
Legend
‎03-23-2017 09:25 AM

shouldn't that be ...

 | inputlookup MyKVStoreLookup
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-23-2017 11:46 AM

Quite correct. Fixed now. Thank you for the oversight.

Reply
Solved! Jump to solution

matansocher
Contributor
‎03-23-2017 08:17 AM

could not ask for better answer and any faster.

thank you very much!!!!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...