All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to generate events from a search sql query in Splunk DB Connect?

gangwarj
New Member
‎02-05-2018 01:54 AM

I am running a sql query which use JOIN 4 tables and returns the results, the query is working as expected in SQL Explorer but when i try to run the same in search it does not generate any events, values get populated n statistics tab though.

 SELECT  * 
 FROM table1 
 INNER JOIN table2 
 ON table1.DEVICE_ID = table2.ID 
 LEFT JOIN table3 
 ON table2.CLIENT_ID = table3.ID 
 LEFT JOIN table4  
 ON table3.CLIENTTYPE_ID = table4.ID 
 WHERE table4.NAME = 'ABC'  OR table4.NAME = 'DEF'

I want to use some aggregation function (stats, eval, count) over the rows returned from my SQL query.

0 Karma
Reply

micahkemp
Champion
‎02-06-2018 09:13 AM

Specify your selected column names explicitly, like this:

| dbxquery connection="<connect>" query="SELECT table1.ID AS table1_ID, table4.NAME AS table4_NAME 
      FROM table1 
      INNER JOIN table2 
      ON table1.DEVICE_ID = table2.ID 
      LEFT JOIN table3 
      ON table2.CLIENT_ID = table3.ID 
      LEFT JOIN table4  
      ON table3.CLIENTTYPE_ID = table4.ID 
      WHERE table4.NAME = 'ABC'  OR table4.NAME = 'DEF'"

I just tried this and it resulted in this output:
alt text

Preview file
77 KB
0 Karma
Reply

micahkemp
Champion
‎02-05-2018 06:01 AM

Assuming you are running the query at search time (versus configuraing an input that periodically runs the SQL and indexes the resutls) I wouldn't expect running a SQL query to return events, I would only expect it to return statistics. The statistics fully represent the results of your query, and you can run aggregations on the statistics just as you can on events.

Is there a reason you also want to see something on the events tab?

0 Karma
Reply

gangwarj
New Member
‎02-05-2018 10:55 PM

In statistics tab the columns names are changed, How do I refer to a specific column or some table. The statistics are the result of joins on 4 different tables.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...