All Apps and Add-ons

Not able to access saved searches (report) through Splunk ODBC?

manojkumargowda
New Member

Hello All,

We are not able to access some saved searches through ODBC splunk connector while we can access some saved searches. I guess it is to do with the permissions of the saved searches (report) in Splunk. We tried giving all the accesses to the report, but still it doesn't return any result in QLiksense (reporting tool) using Splunk ODBC.

manojkumargowda_0-1678601316583.png

manojkumargowda_0-1678601493383.png

 

 

Labels (1)
Tags (1)
0 Karma

niyaz006
Path Finder

Can we pull data directly from the index using odbc? Or only saved searches?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

ODBC does not support ad-hoc queries.  They must invoke a saved search.

---
If this reply helps you, Karma would be appreciated.
0 Karma

manojkumargowda
New Member

Also one more thing is, when we run the saved search through ODBC, it creates a job in Splunk. The jobs for the saved searches which are not fetching any records are getting expired in few seconds while the ones that are accessible by Splunk ODBC are usually expires after few minutes. 

Is this something to do with the above issue? 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

That error message do not mean you cannot access the saved search.  It means the saved search ran successfully, but produced no results.  Depending on the search, that my be completely normal.

---
If this reply helps you, Karma would be appreciated.
0 Karma

manojkumargowda
New Member

Thanks @richgalloway  for your response.

Yes, you are right. Saved search ran successfully but it didn't fetch any records. The same saved search returns results when I run it in Splunk UI. 

It's weird that I can access some saved searches through Splunk ODBC, but some are not, though both are having same permissions.  

manojkumargowda_0-1678635688385.png

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Make sure the ODBC user has the role(s) necessary to access the desired saved searches and the indexes that feed them.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...