This is reference to the SolarWinds Add-on for Splunk - SolarWinds Add-on for Splunk | Splunkbase
@ehaddad_splunk Is there a limit to the structure or size of the SWQL?
I can get Alerts, inventory, and simple queries no issue. But when I run a complex search, I get status=400
The search below works inside the SWQL Studio
2021-03-18 11:43:11,872 +0000 log_level=ERROR, pid=30166, tid=Thread-4, file=engine.py, func_name=_send_request, code_line_no=325 | [stanza_name="test_001"] The response status=400 for request which url=https://10.1.2.21:17778/SolarWinds/InformationService/v3/Json/Query?query=SELECT IPAddress1, IPAddress2, CASE WHEN IPAddress1 IS NULL THEN NULL ELSE H1.Hostname END AS Hostname1, CASE WHEN IPAddress2 IS NULL THEN NULL ELSE H2.Hostname END AS Hostname2, TotalBytesIngress, TotalPacketsIngress, TotalBytesEgress, TotalPacketsEgress, TotalBytesIngress + TotalBytesEgress AS TotalBytes, TotalPacketsIngress + TotalPacketsEgress AS TotalPackets FROM (SELECT TOP 10 SourceIP AS IPAddress1, DestinationIP AS IPAddress2, MAX(SourceHostnameID) AS HostnameID1, MAX(DestinationHostnameID) AS HostnameID2,SUM(IngressBytes) AS TotalBytesIngress, SUM(IngressPackets) AS TotalPacketsIngress, SUM(EgressBytes) AS TotalBytesEgress, SUM(EgressPackets) AS TotalPacketsEgress, SUM(IngressBytes) + SUM(EgressBytes) AS TotalBytes, SUM(IngressPackets) + SUM(EgressPackets) AS TotalPackets FROM Orion.Netflow.FlowsByConversation Flows WHERE (Timestamp >= (GetUTCDate() - 0.04167)) GROUP BY (SourceIP, DestinationIP) ORDER BY TotalBytes DESC) OuterFlows LEFT JOIN Orion.Netflow.Hostnames AS H1 ON H1.ID = OuterFlows.HostnameID1 LEFT JOIN Orion.Netflow.Hostnames AS H2 ON H2.ID = OuterFlows.HostnameID2 ORDER BY TotalBytes DESC, IPAddress1 ASC, IPAddress2 ASC and method=GET.
However, this one works fine as a successful search:
2021-03-18 11:55:37,398 +0000 log_level=INFO, pid=12462, tid=Thread-4, file=http.py, func_name=request, code_line_no=169 | [stanza_name="test_002"] Invoking request to [https://10.1.2.1:17778/SolarWinds/InformationService/v3/Json/Query?query=SELECT%20Caption%20AS%20NodeName,%20IPAddress%20FROM%20Orion.Nodes] finished
Ok, just for the record, simply replacing the + sign with %2B in the string before creating the input works.
So, what i paste in the tiny input box is below. notice the %2B. The add-on nor python will remove that code, it leaves it in place. whew!
SELECT IPAddress1, IPAddress2, CASE WHEN IPAddress1 IS NULL THEN NULL ELSE H1.Hostname END AS Hostname1, CASE WHEN IPAddress2 IS NULL THEN NULL ELSE H2.Hostname END AS Hostname2, TotalBytesIngress, TotalPacketsIngress, TotalBytesEgress, TotalPacketsEgress, TotalBytesIngress %2B TotalBytesEgress AS TotalBytes, TotalPacketsIngress %2B TotalPacketsEgress AS TotalPackets FROM (SELECT TOP 10 SourceIP AS IPAddress1, DestinationIP AS IPAddress2, MAX(SourceHostnameID) AS HostnameID1, MAX(DestinationHostnameID) AS HostnameID2, SUM(IngressBytes) AS TotalBytesIngress, SUM(IngressPackets) AS TotalPacketsIngress, SUM(EgressBytes) AS TotalBytesEgress, SUM(EgressPackets) AS TotalPacketsEgress, SUM(IngressBytes) %2B SUM(EgressBytes) AS TotalBytes, SUM(IngressPackets) %2B SUM(EgressPackets) AS TotalPackets FROM Orion.Netflow.FlowsByConversation Flows WHERE (Timestamp >= (GetUTCDate() - 0.04167)) GROUP BY (SourceIP, DestinationIP) ORDER BY TotalBytes DESC ) OuterFlows LEFT JOIN Orion.Netflow.Hostnames AS H1 ON H1.ID = OuterFlows.HostnameID1 LEFT JOIN Orion.Netflow.Hostnames AS H2 ON H2.ID = OuterFlows.HostnameID2 ORDER BY TotalBytes DESC, IPAddress1 ASC, IPAddress2 ASC
Ok, just for the record, simply replacing the + sign with %2B in the string before creating the input works.
So, what i paste in the tiny input box is below. notice the %2B. The add-on nor python will remove that code, it leaves it in place. whew!
SELECT IPAddress1, IPAddress2, CASE WHEN IPAddress1 IS NULL THEN NULL ELSE H1.Hostname END AS Hostname1, CASE WHEN IPAddress2 IS NULL THEN NULL ELSE H2.Hostname END AS Hostname2, TotalBytesIngress, TotalPacketsIngress, TotalBytesEgress, TotalPacketsEgress, TotalBytesIngress %2B TotalBytesEgress AS TotalBytes, TotalPacketsIngress %2B TotalPacketsEgress AS TotalPackets FROM (SELECT TOP 10 SourceIP AS IPAddress1, DestinationIP AS IPAddress2, MAX(SourceHostnameID) AS HostnameID1, MAX(DestinationHostnameID) AS HostnameID2, SUM(IngressBytes) AS TotalBytesIngress, SUM(IngressPackets) AS TotalPacketsIngress, SUM(EgressBytes) AS TotalBytesEgress, SUM(EgressPackets) AS TotalPacketsEgress, SUM(IngressBytes) %2B SUM(EgressBytes) AS TotalBytes, SUM(IngressPackets) %2B SUM(EgressPackets) AS TotalPackets FROM Orion.Netflow.FlowsByConversation Flows WHERE (Timestamp >= (GetUTCDate() - 0.04167)) GROUP BY (SourceIP, DestinationIP) ORDER BY TotalBytes DESC ) OuterFlows LEFT JOIN Orion.Netflow.Hostnames AS H1 ON H1.ID = OuterFlows.HostnameID1 LEFT JOIN Orion.Netflow.Hostnames AS H2 ON H2.ID = OuterFlows.HostnameID2 ORDER BY TotalBytes DESC, IPAddress1 ASC, IPAddress2 ASC
Thank you so much for responding. I'll try to avoid the + sign. But we do need to add those values
update:
@ehaddad_splunk
the API does not like the "+" signs. This customer had a similar experience: (1) no viable alternative at input ' FROM' in SELECT Clause - Forum - Network Performance Monitor (N...
here is my issue now. If use the plus (+) sign in the input gui, the add-on does not convert it to to HTML code like it does for the greater than (>) sign. If I put a > (greater than) sign in the GUI, the add-on will convert that to > This is correct and pushed the html to the http api,
So, I tried to convert it myself before placing in the GUI. I substituted + with +
Now the GUI will replace + with +
This happens if I use the GUI or the CLI inputs.conf.
what can I do so that the GUI will send the + sign in proper html code?
The url conversaion is natively done by the python library used in the input. The link ref from the solarwinds addon states to avoid using the +. Any chance you can use an alternative query without the use of +. Maybe you can compute the addition on the splunk side at search time?