Hi,
With Splunk DB Connect new version 2.4, the results of query is giving output like this:
(001) broker_stats.time_stamp.datetime (002) broker_stats.num_busy_engines.int (003) broker_stats.num_total_engines.int (004) broker_stats.num_tasks_pending.int (005) brokers.broker_name.varchar
how can I change this to just:
time_stamp, num_busy_engines, total_engines etc (i.e without tablename, numbers, datatype)
I just need column names like in old version.
Thank You,
Sridhar.
correct syntax in dbconnect ver 2+ is:
| dbxquery connection=dbname query="select * from table t" shortnames=t
shortnames=t will eliminate number, tablename, datatype from results.
Also the time fields in results was epoch in dbconnect version 1.+
in Version 2+ it is normal datetime field.
So, you may need to convert to epoch time if you need in the query.
correct syntax in dbconnect ver 2+ is:
| dbxquery connection=dbname query="select * from table t" shortnames=t
shortnames=t will eliminate number, tablename, datatype from results.
Also the time fields in results was epoch in dbconnect version 1.+
in Version 2+ it is normal datetime field.
So, you may need to convert to epoch time if you need in the query.
Hi gudavasr - Did your answer provide a working solution to your question? If yes and you would like to close out your post, don't forget to click "Accept". But if you'd like to keep it open for possibilities of other answers, you don't have to take action on it yet. Thanks!
base search| rename "(001) broker_stats.time_stamp.datetime" as time_stamp , "(002) broker_stats.num_busy_engines.int" as num_busy_engines,"(003) broker_stats.num_total_engines.int" as total_engines,"(004) broker_stats.num_tasks_pending.int" as tasks_pending,"(005) brokers.broker_name.varchar" as broker_name | table time_stamp,num_busy_engines,total_engines,tasks_pending,broker_name
Thank you for your help. But that's a lot of changes if I have many queries saved w/old version. Hoping to see better answer. Otherwise I will accept this.