All Apps and Add-ons

Splunk DB Connect 2: After upgrading Splunk to 6.4.1, why is a "select * from" statement added to our query?

jhoang
Path Finder

Hi Support,

So currently we are trying to execute a DB query, however, you have added a select * from statement to our query. After the upgrade to version Splunk 6.4.1 Windows X64, we noticed this change to our DB Connect 2

Query we are trying to run:

declare @dt datetime
select @dt = dateadd(SECOND, -300, getdate())
SELECT OrderID, UserID, ConditionStateID, LogicalOperatorID, OC_ActivationTime, OC_StartTime, OC_EndTime, OC_ExpirationDate, OC_IsActive, OC_CreationDate, OC_DmlDate, OC_DmlUserID 
FROM UBER.dbo.OrderCondition
where OC_CreationDate > @dt

Invalid Query message:

External search command 'dbxquery' returned error code 1. Script output = "RuntimeError: Failed to run query: "SELECT * FROM (declare @dt datetime select @dt = dateadd(SECOND, -300, getdate()) SELECT OrderID, UserID, ConditionStateID, LogicalOperatorID, OC_ActivationTime, OC_StartTime, OC_EndTime, OC_ExpirationDate, OC_IsActive, OC_CreationDate, OC_DmlDate, OC_DmlUserID FROM UBER.dbo.OrderCondition where OC_CreationDate > @dt) t", caused by: AvroRemoteException(u"com.sybase.jdbc4.jdbc.SybSQLException: Incorrect syntax near the keyword 'declare'.\n",). "

This is happening for all of our DB input queries now - can you kindly advise?

Jacks

Tags (2)
1 Solution

jhoang
Path Finder

Hi all, this item can be marked as resolved.

There was an issue with the /splunk_app_db_connect/bin/dbx2/query_builder.py

We had to manually remove the 2 string, in order to allow the DB query to run.

View solution in original post

0 Karma

jhoang
Path Finder

Hi all, this item can be marked as resolved.

There was an issue with the /splunk_app_db_connect/bin/dbx2/query_builder.py

We had to manually remove the 2 string, in order to allow the DB query to run.

0 Karma

bgriffis
Explorer

So does anyone have an official word on WHY splunk made the query_builder.py have that goofy fmt?

def build_inline_view_query(query):
    #fmt = "SELECT * FROM (%s) t"
    fmt = "%s"
    return fmt % query

And what's the trouble in making it just "%s" ?

mendesjo
Path Finder

Didn't work for me..

0 Karma

vu_le
New Member

Hi jhoang,

Are you able to share which two strings you needed to remove in order to allow the DB query to run?

0 Karma

joao_amorim
Communicator

You need to delete the SELECT * FROM and the t at the end.

I think that it's supposed to remain only the %s which is the query.

0 Karma

jhoang
Path Finder

my teammate made the changes, I am not too sure.

0 Karma
Get Updates on the Splunk Community!

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...

Enterprise Security Content Update (ESCU) | New Releases

In October, the Splunk Threat Research Team had one release of new security content via the Enterprise ...