Hi, I'm using dbconnect app
Have some fields that contain long strings of text, want to search for only those results that have a certain word (X) within them
To phrase it another way trying to do something like this:
| dbquery "MYDB" "select text_field from my_table where text_field contains "Description""
Thanks 🙂
What you're trying to do is restrict your results in your SQL query. It should look like this:
| dbquery "MYDB" "SELECT text_field FROM my_table WHERE text_field LIKE '%Description%' "
The "LIKE" command searches for any string that contains the string you feed it. The "%" character is a wildcard, so %description% will match any text field that contains the string 'description'.
Also be sure to verify the correct use of SQL quotes within your Splunk search.
Here's a simple manual page on the subject:
What you're trying to do is restrict your results in your SQL query. It should look like this:
| dbquery "MYDB" "SELECT text_field FROM my_table WHERE text_field LIKE '%Description%' "
The "LIKE" command searches for any string that contains the string you feed it. The "%" character is a wildcard, so %description% will match any text field that contains the string 'description'.
Also be sure to verify the correct use of SQL quotes within your Splunk search.
Here's a simple manual page on the subject:
Have you tried this (using your SQL as a guide to the Splunk Search Language equivalent):
index=mydb sourcetype=my_table "Description"
Alternatively, you can use search time field extractions to create a "description" field, then you can selectively search your data for something specific in "Description". Check it out at http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/Addfieldsatsearchtime.
Hi, "No matching events found" – I'm not sure how to search the db without using | dbconnect
(I don't see the db info listed in the summary anywhere)
...Where to go from here?