All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Creating a dataset to search in instead of searching in outside DB

matansocher
Contributor
‎03-23-2017 08:02 AM

Since in the query below splunk is seaching in outside database, the search takes a lot of time to show results.

| dbquery "MPS" "SELECT * FROM MPS.MPS_MILESTONE WHERE (Design_Element_Name='IPA') AND Report_Milestone!=' ' AND ProjectName='Accelerator_cores'"

Executing that query in the search gives me a result table.
How can i export the result table into a dataset so i can search it with no need to get to the db every time I make a search?

thank you

Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-23-2017 08:11 AM

You can dump it to a CSV file by adding this:

| outputcsv MyCSV

Then you get at it like this:

| inputcsv MyCSV

If this is large, you may cause problems by cluttering up your dispatch directory
You can dump it to a KVStore by setting up a collection and then adding this:

| outputlookup MyKVStoreLookup

Then you get at it like this:

| inputlookup MyKVStoreLookup

You can dump it to a summary index like this:

| eval MySpecialField=MySpecialValue | collect MySummaryIndexName

Then you get at it like this:

index=MySummaryIndexName MySpecialField=MySpecialValue

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-23-2017 08:11 AM

You can dump it to a CSV file by adding this:

| outputcsv MyCSV

Then you get at it like this:

| inputcsv MyCSV

If this is large, you may cause problems by cluttering up your dispatch directory
You can dump it to a KVStore by setting up a collection and then adding this:

| outputlookup MyKVStoreLookup

Then you get at it like this:

| inputlookup MyKVStoreLookup

You can dump it to a summary index like this:

| eval MySpecialField=MySpecialValue | collect MySummaryIndexName

Then you get at it like this:

index=MySummaryIndexName MySpecialField=MySpecialValue
Reply
Solved! Jump to solution

DalJeanis
Legend
‎03-23-2017 09:25 AM

shouldn't that be ...

 | inputlookup MyKVStoreLookup
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-23-2017 11:46 AM

Quite correct. Fixed now. Thank you for the oversight.

Reply
Solved! Jump to solution

matansocher
Contributor
‎03-23-2017 08:17 AM

could not ask for better answer and any faster.

thank you very much!!!!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...