All Apps and Add-ons

Not able to access saved searches (report) through Splunk ODBC?

manojkumargowda
New Member

Hello All,

We are not able to access some saved searches through ODBC splunk connector while we can access some saved searches. I guess it is to do with the permissions of the saved searches (report) in Splunk. We tried giving all the accesses to the report, but still it doesn't return any result in QLiksense (reporting tool) using Splunk ODBC.

manojkumargowda_0-1678601316583.png

manojkumargowda_0-1678601493383.png

 

 

Labels (1)
Tags (1)
0 Karma

niyaz006
Path Finder

Can we pull data directly from the index using odbc? Or only saved searches?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

ODBC does not support ad-hoc queries.  They must invoke a saved search.

---
If this reply helps you, Karma would be appreciated.
0 Karma

manojkumargowda
New Member

Also one more thing is, when we run the saved search through ODBC, it creates a job in Splunk. The jobs for the saved searches which are not fetching any records are getting expired in few seconds while the ones that are accessible by Splunk ODBC are usually expires after few minutes. 

Is this something to do with the above issue? 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

That error message do not mean you cannot access the saved search.  It means the saved search ran successfully, but produced no results.  Depending on the search, that my be completely normal.

---
If this reply helps you, Karma would be appreciated.
0 Karma

manojkumargowda
New Member

Thanks @richgalloway  for your response.

Yes, you are right. Saved search ran successfully but it didn't fetch any records. The same saved search returns results when I run it in Splunk UI. 

It's weird that I can access some saved searches through Splunk ODBC, but some are not, though both are having same permissions.  

manojkumargowda_0-1678635688385.png

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Make sure the ODBC user has the role(s) necessary to access the desired saved searches and the indexes that feed them.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...