All Apps and Add-ons

Not able to access saved searches (report) through Splunk ODBC?

manojkumargowda
New Member

Hello All,

We are not able to access some saved searches through ODBC splunk connector while we can access some saved searches. I guess it is to do with the permissions of the saved searches (report) in Splunk. We tried giving all the accesses to the report, but still it doesn't return any result in QLiksense (reporting tool) using Splunk ODBC.

manojkumargowda_0-1678601316583.png

manojkumargowda_0-1678601493383.png

 

 

Labels (1)
Tags (1)
0 Karma

niyaz006
Path Finder

Can we pull data directly from the index using odbc? Or only saved searches?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

ODBC does not support ad-hoc queries.  They must invoke a saved search.

---
If this reply helps you, Karma would be appreciated.
0 Karma

manojkumargowda
New Member

Also one more thing is, when we run the saved search through ODBC, it creates a job in Splunk. The jobs for the saved searches which are not fetching any records are getting expired in few seconds while the ones that are accessible by Splunk ODBC are usually expires after few minutes. 

Is this something to do with the above issue? 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

That error message do not mean you cannot access the saved search.  It means the saved search ran successfully, but produced no results.  Depending on the search, that my be completely normal.

---
If this reply helps you, Karma would be appreciated.
0 Karma

manojkumargowda
New Member

Thanks @richgalloway  for your response.

Yes, you are right. Saved search ran successfully but it didn't fetch any records. The same saved search returns results when I run it in Splunk UI. 

It's weird that I can access some saved searches through Splunk ODBC, but some are not, though both are having same permissions.  

manojkumargowda_0-1678635688385.png

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Make sure the ODBC user has the role(s) necessary to access the desired saved searches and the indexes that feed them.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...

Want to Reduce Costs, Mitigate Risk, Improve Performance, or Increase Efficiencies? ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...