All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Does Splunk DB Connect V2 supports queries variables?

egsub
Explorer
‎05-14-2015 06:29 AM

Hi,

We used to have Splunk DB Connect lookups to Advanced SQL with parameters (using $field_name$ as an identifier) - which let us use special queries as lookup

Since version 2, we can't find a way to have these special queries. Is there any option to config customized queries?

Thanks,

EG

Reply

lshatzer
Path Finder
‎08-23-2016 06:48 AM

After beating my head against a wall on this, I've found this is not currently possible for lookups. It either screws up the query wrapping Splunk does, or when that is disabled, it attaches a second where clause, which makes it invalid (since it is not AND <condition>), but WHERE <this> WHERE <that>.

The more problematic hurdle is that Splunk will batch up the queries and provide them into an IN clause.

For one of my use cases I'm getting around this by providing a materialized view, so the query is still performing well, and the query logic is housed in that view.

My second use case won't easily be supported, where I have a user defined function that I need to pass the parameter to. This, I'll have to figure something else out.

Both of these work fine with dbxquery, but that is harder to use as a lookup like this.

0 Karma
Reply

dbabanov
Path Finder
‎02-10-2017 12:54 AM

Hi!
Can you show your workaround (example) with dbxquery?

0 Karma
Reply

lshatzer
Path Finder
‎02-10-2017 07:17 AM

I would use outputlookup after the dbxquery, on a schedule, and then use lookup against that csv file.

0 Karma
Reply

xdp4
Explorer
‎05-15-2015 10:06 AM

Are you referring to the tokens used in a dashboard to populate a search? It is possible to do, and I have it working in our dashboards now. (it took a bit of trial and error) Remember the SQL queries are URL encoded now, so encode everything but the $token$. If you copy/paste the string into an automatic encoder, it will encode the $ and not work. Here's a snippet of one of my dashboard queries: "where%20EmpID%20%3D%20%27$id$%27" The $id$ is replaced with whatever variable the analyst places in the field to query the SQL database on.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...