Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Fetching search strings from database.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fetching search strings from database.
Hi,
I am having a RDBMS connected to Splunk via DB Connect. Inside that RDMS there is a table which stores queries that I have to excecute on splunk. For example: one row is like this
Id Search_String
1 index="XYZ" sourcetype=ABC | convert ctime(_time) as Time timeformat="%U" | stats dc(source) by Time
So my requirement is, I have to fetch this search string from my DB (which I am able todo using DBConnect) and automatically execute on Splunk (which I don't know how to do) to generate report.
Is it possible to do? If yes, then how to do it. Since I am beginner on Splunk, please guide me on this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@anuj1630, This seems to be a duplicate of https://answers.splunk.com/answers/561370/execution-of-search-strings-stored-in-an-external.html
Is your intent to execute only one query at a time? If so,
Step 1) You can feed your dbxquery to populate a table with two columns Id and Search_String (PS: In order to mock the data from Database, I have used makeresults, you can use your current query instead).
Step 2) You can create table <drilldown> to create queryString with the query fetched from the Database Search using $row.Search_String$ token.
Step 3) Finally use the $queryString$ token in the other search that you want to execute. PS: I have included a Time input control with `tokTime, to ensure that the second search run for required duration of time.
<form>
<label>Dummy Dashboard</label>
<fieldset submitButton="false">
<input type="time" token="tokTime">
<label>Select Time Range</label>
<default>
<earliest>-30d@d</earliest>
<latest>now</latest>
</default>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>| makeresults
| eval Id=1
| eval Search_String="index=\"_internal\" sourcetype=\"splunkd\" | convert ctime(_time) as Time timeformat=\"%U\" | stats dc(component) by Time"
| append [| makeresults
| eval Id=2
| eval Search_String="index=\"_internal\" sourcetype=\"splunkd\" | convert ctime(_time) as Time timeformat=\"%U\" | stats dc(group) by Time"]
| fields - _time</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
<sampleRatio>1</sampleRatio>
</search>
<option name="count">20</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">cell</option>
<option name="percentagesRow">false</option>
<option name="rowNumbers">false</option>
<option name="totalsRow">false</option>
<option name="wrap">true</option>
<drilldown>
<set token="queryString">$row.Search_String$</set>
</drilldown>
</table>
</panel>
</row>
<row depends="$queryString$">
<panel>
<table>
<search>
<query>
$queryString$
</query>
<earliest>$tokTime.earliest$</earliest>
<latest>$tokTime.latest$</latest>
</search>
</table>
</panel>
</row>
</form>
| makeresults | eval message= "Happy Splunking!!!"
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
