All Apps and Add-ons

Splunk DB Connect lookup produces invalid query syntax

kranzrm
Path Finder

I have successfully installed and configured DBConnect 3.11 on a search-head and I'm able to query and output data to/from an AWS RDS Aurora database.

My problem happens when I try to run a dbxlookup against my data search results.

From: /opt/splunk/var/log/splunk/splunk_app_db_connect_audit_command.2017-10-15.log

 2017-10-15 20:01:47.139 2886@splunk-sh1 [main] INFO  com.splunk.dbx.connector.logger.AuditLogger - operation= connection_name= stanza_name= state=success sql='SELECT "ip", "dns" FROM (SELECT time, ip, dns FROM `hostip_lookup`.`table_name`) dbxlookup WHERE "ip" IN (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,)'

I ran this query manually and I am not getting the expected results.

 SELECT "ip", "dns" FROM (SELECT time, ip, dns FROM `hostip_lookup`.`table_name`) dbxlookup

I expected to see the results from my table, instead I see:

 |# ip, dns
 |ip, dns
 |...<repeated>...
 |ip, dns
 |ip, dns

It appears that using double quotes for the column names ( SELECT "ip", "dns" FROM ...) is incorrect. And, instead of returning the record values, it is returning "ip" and "dns" for every record. This is generated by DBConnect and I am only able to change the query in the subselect (within the parenthesis ()).

Taking the quotes away from the column names returns the expected results:

 SELECT ip, dns FROM (SELECT time, ip, dns FROM `hostip_lookup`.`table_name`) dbxlookup

Questions to my fellow Splunk Ninjas:
1. Is DBConnect generating incorrect SQL? Or, have I configured something wrong?
2. Is there any way to not wrap my query within parentheses? Or can I change how Splunk is quoting my column names?

0 Karma
1 Solution

kranzrm
Path Finder

I have found a solution to this problem. The database must have ANSI_QUOTES enabled in the sql_mode parameter.

From: https://dev.mysql.com/doc/refman/5.6/en/sql-mode.html#sqlmode_ansi_quotes

 ANSI_QUOTES

 Treat " as an identifier quote character (like the ` quote character) and not as a string quote character. You can still use ` to quote identifiers with this mode enabled. With ANSI_QUOTES enabled, you cannot use double quotation marks to quote literal strings, because it is interpreted as an identifier.

Relevant StackOverflow Post: https://stackoverflow.com/a/14123649/1440715

For AWS RDS this needs to be set within a parameter group. This cannot be set with the SQL query used on a vanilla MySQL databse. Once the parameter is set (and the group is applied) the database instance needs to be rebooted in order for this setting to take effect.

Working with DB Parameter Groups: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithParamGroups.html

View solution in original post

0 Karma

kranzrm
Path Finder

I have found a solution to this problem. The database must have ANSI_QUOTES enabled in the sql_mode parameter.

From: https://dev.mysql.com/doc/refman/5.6/en/sql-mode.html#sqlmode_ansi_quotes

 ANSI_QUOTES

 Treat " as an identifier quote character (like the ` quote character) and not as a string quote character. You can still use ` to quote identifiers with this mode enabled. With ANSI_QUOTES enabled, you cannot use double quotation marks to quote literal strings, because it is interpreted as an identifier.

Relevant StackOverflow Post: https://stackoverflow.com/a/14123649/1440715

For AWS RDS this needs to be set within a parameter group. This cannot be set with the SQL query used on a vanilla MySQL databse. Once the parameter is set (and the group is applied) the database instance needs to be rebooted in order for this setting to take effect.

Working with DB Parameter Groups: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithParamGroups.html

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@kranzm, If your problem is resolved, please accept the answer (it's OK to accept your own answer) to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...