All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Creating a dataset to search in instead of searching in outside DB

matansocher
Contributor
‎03-23-2017 08:02 AM

Since in the query below splunk is seaching in outside database, the search takes a lot of time to show results.

| dbquery "MPS" "SELECT * FROM MPS.MPS_MILESTONE WHERE (Design_Element_Name='IPA') AND Report_Milestone!=' ' AND ProjectName='Accelerator_cores'"

Executing that query in the search gives me a result table.
How can i export the result table into a dataset so i can search it with no need to get to the db every time I make a search?

thank you

Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-23-2017 08:11 AM

You can dump it to a CSV file by adding this:

| outputcsv MyCSV

Then you get at it like this:

| inputcsv MyCSV

If this is large, you may cause problems by cluttering up your dispatch directory
You can dump it to a KVStore by setting up a collection and then adding this:

| outputlookup MyKVStoreLookup

Then you get at it like this:

| inputlookup MyKVStoreLookup

You can dump it to a summary index like this:

| eval MySpecialField=MySpecialValue | collect MySummaryIndexName

Then you get at it like this:

index=MySummaryIndexName MySpecialField=MySpecialValue

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎03-23-2017 08:11 AM

You can dump it to a CSV file by adding this:

| outputcsv MyCSV

Then you get at it like this:

| inputcsv MyCSV

If this is large, you may cause problems by cluttering up your dispatch directory
You can dump it to a KVStore by setting up a collection and then adding this:

| outputlookup MyKVStoreLookup

Then you get at it like this:

| inputlookup MyKVStoreLookup

You can dump it to a summary index like this:

| eval MySpecialField=MySpecialValue | collect MySummaryIndexName

Then you get at it like this:

index=MySummaryIndexName MySpecialField=MySpecialValue
Reply
Solved! Jump to solution

DalJeanis
Legend
‎03-23-2017 09:25 AM

shouldn't that be ...

 | inputlookup MyKVStoreLookup
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-23-2017 11:46 AM

Quite correct. Fixed now. Thank you for the oversight.

Reply
Solved! Jump to solution

matansocher
Contributor
‎03-23-2017 08:17 AM

could not ask for better answer and any faster.

thank you very much!!!!

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...