All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create a Splunk DB Connect 2 lookup with query parameters?

cmccormick
Explorer
‎12-22-2015 12:15 PM

Hello,

I have a table in my database that records changes to a record in my people table. I have a trigger that inserts the new data into the historical table when the record changes and timestamps it. I need to do a lookup on that table based on username and the date on the event in Splunk.

I am trying to create a dblookup using DB Connect that will run a query like the following:

SELECT TOP 1 Meta_LogDate, FirstName, LastName, Region
FROM People_Historical
WHERE UserName = $UserName$
AND Meta_LogDate <= $LogDate$
ORDER BY Meta_LogDate DESC

How can I do this with Splunk DB Connect 2? The interface does not allow me to create/add parameters to the advanced query when creating the lookup.

Reply

woodcock
Esteemed Legend
‎02-15-2016 06:19 PM

I have not used dblookup but I know that dbxquery (V2) is different from dbquery (V1) in that you have to encode your SLQ statement ("SELECT string") so perhaps this is required for dblokup, too. Try that; I use this web tool:

http://meyerweb.com/eric/tools/dencoder/

0 Karma
Reply

cmccormick
Explorer
‎04-14-2016 02:40 PM

Unfortunately, that did not work. However, I have switched to indexing the data and just using a join.

0 Karma
Reply

woodcock
Esteemed Legend
‎04-26-2016 06:49 AM

Always avoid using join and try to use stats instead.

0 Karma
Reply

raghu0463
Explorer
‎08-09-2017 08:04 PM

Hello woodcock,
How to use stasts instead of join pls

Thanks

0 Karma
Reply

woodcock
Esteemed Legend
‎12-22-2015 03:40 PM

Do not use the interface; just go to Settings -> Data inputs -> Splunk DB Connect Input Service -> Add New.

0 Karma
Reply

cmccormick
Explorer
‎12-23-2015 01:37 PM

This does not really answer my question...

I am wanting to create a DB lookup that allows me to pass in to input values to an advanced query, but I am not able to figure out how I need to format my query in Splunk. I have tried the format like I originally included and also this format.

 SELECT TOP 1 Meta_LogDate, FirstName, LastName, Region
 FROM People_Historical
 WHERE UserName = {{UserName}}
 AND Meta_LogDate <= {{LogDate}}
 ORDER BY Meta_LogDate DESC

Then tried to use the following search, without success.

source=actionlog | lookup db_connect_HistoricalPeople UserName, LogDate OUTPUT FirstName, LastName, Region

How would I format the query to allow me to pass the inputs from the search?

0 Karma
Reply
Get Updates on the Splunk Community!

SOC Modernization: How Automation and Splunk SOAR are Shaping the Next-Gen Security ...

Security automation is no longer a luxury but a necessity. Join us to learn how Splunk ES and SOAR empower ...

Ask It, Fix It: Faster Investigations with AI Assistant in Observability Cloud

  Join us in this Tech Talk and learn about the recently launched AI Assistant in Observability Cloud. With ...

Index This | How many sides does a circle have?

  March 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...
Top