All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Help with sql request

templier
Communicator
‎03-10-2017 04:22 AM

Hello, all 🙂
I have a new request for help.

First time a use next request for every table:
Input Type: Advansed 

SELECT RecordId,CompId,UserId,EventId,Type,ProcessName,Pid,DeviceTypeId,Action,Name,Info,AdditionDate,Reason,ReasonMnemonic,DeviceType FROM "DevicelockDB"."dbo"."DLAuditLog" Column_list WHERE RecordId > ? ORDER BY RecordId ASC

Checkpoint Column RecordId and value.

But now, i want use full request with all interesting data from database.
I creat a request but can't get the following query to work:

SELECT AdditionDate,DLAuditLog.RecordId AS record_ID,DLUsers.UserName,DLStations.NetworkAddr,DLAuditLog.ProcessName,DLAuditLog.Action,DLAuditLog.Name,DLShadowFiles.OriginalFileName,DLAuditLog.DeviceType,DLAuditLog.Reason,DLAuditLog.ReasonMnemonic,DLAuditLog.Info,DLAuditLog.CompId AS compID_1,DLAuditLog.UserId AS userID_1,DLAuditLog.EventId,DLAuditLog.Type,DLAuditLog.Pid,DLAuditLog.DeviceTypeId,DLUsers.UserId AS userID_2,DLStations.CompId AS compID_2,DLShadowFiles_Users.UserId AS userID_3,DLShadowFiles_Users.ShadowId AS shadow_1,DLShadowFiles.ShadowId AS shadow_2
FROM DLAuditLog
INNER JOIN
DLUsers ON DLUsers.UserId = DLAuditLog.UserId
INNER JOIN
DLStations ON DLStations.CompId = DLAuditLog.CompId
INNER JOIN
DLShadowFiles_Users ON DLShadowFiles_Users.UserId = DLAuditLog.UserId
INNER JOIN
DLShadowFiles ON DLShadowFiles.ShadowId = DLShadowFiles_Users.ShadowId 
ORDER BY RecordId,compID_2,NetworkAddr,userID_2,userID_3,shadow_2,OriginalFileName,UserName,EventId,Type,ProcessName,Pid,DeviceTypeId,Action,Name,Info,AdditionDate,Reason,ReasonMnemonic,DeviceType

Maybe anyone can help with that, i want use this request in splunk db connect and follow data based on RecordId field, only new event write to splunk base.

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎03-10-2017 04:53 AM

One tip: I nearly always use a view when I get into a SQL Query this complex. Create your view that does all your joins and any field cast/convert or formatting you need, then use DB connect to just SELECT ... FROM vw_MyViewName.

For your specific problem, you seem to have the record id in there ( SELECT AdditionDate, DLAuditLog.RecordId AS record_ID, DLUsers.UserName ... but it's named differently. You should be able to treat it exactly the same as your test:

... INNER JOIN  DLShadowFiles ON DLShadowFiles.ShadowId = DLShadowFiles_Users.ShadowId 
WHERE record_id > ? 
ORDER BY RecordId,compID_2,NetworkAddr,userID_2 ...

NOTE I don't know what DB you are using so I don't know if you need record_id or DLAuditLog.RecordId in there (e.g. I don't know if your DBMS allows aliases there or not).

If that doesn't get you sorted out, the next steps are to run the SQL query in whatever your DMBS uses as a console and get it working the way you want first. Once working you could create a view out of it or even just paste it into Splunk and add the one little line for your WHERE clause.

Happy Splunking!
-Rich

View solution in original post

Reply
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎03-10-2017 04:53 AM

One tip: I nearly always use a view when I get into a SQL Query this complex. Create your view that does all your joins and any field cast/convert or formatting you need, then use DB connect to just SELECT ... FROM vw_MyViewName.

For your specific problem, you seem to have the record id in there ( SELECT AdditionDate, DLAuditLog.RecordId AS record_ID, DLUsers.UserName ... but it's named differently. You should be able to treat it exactly the same as your test:

... INNER JOIN  DLShadowFiles ON DLShadowFiles.ShadowId = DLShadowFiles_Users.ShadowId 
WHERE record_id > ? 
ORDER BY RecordId,compID_2,NetworkAddr,userID_2 ...

NOTE I don't know what DB you are using so I don't know if you need record_id or DLAuditLog.RecordId in there (e.g. I don't know if your DBMS allows aliases there or not).

If that doesn't get you sorted out, the next steps are to run the SQL query in whatever your DMBS uses as a console and get it working the way you want first. Once working you could create a view out of it or even just paste it into Splunk and add the one little line for your WHERE clause.

Happy Splunking!
-Rich

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...