All Apps and Add-ons

Using db connect app, doing lookup without sourcetype/index

rdownie
Communicator

I realize you can do this with the dbquery command using |dbquery. I would like to know if there is a way to use a database lookup without a sourcetype/index in the search or subsearch.
For instance,
I would look to do something like:


| rename $UID$ as item1 | lookup dbtable item1 output item2,item3,item4


within a search or subsearch?


Thanks,


-Bob

Tags (1)
0 Karma

rdownie
Communicator

I have found:


| stats count | eval DBCOLUNM="value" | lookup dbtable DBCOLUMN OUTPUT COLUNM2,COLUMN3

this does what I was looking for.

lguinn2
Legend

Here is the problem, I think -

You can't just define a field like NAME. A field must be part of an event or added to the results table. It can't exist independently.

The lookup command must have something as an input; it operates on data (events or results) that are passed to it in the pipeline. Since the eval command isn't creating a field, there is nothing to lookup.

Why you don't get an error: Splunk takes the macro and inserts it into the command string. But when it executes the command string, there are no events input and therefore nothing to output.

Most of the time, the command string begins with a search. While a search doesn't have to begin with an index or sourcetype, the search does provide criteria for retrieving data. This data is then passed down the pipeline and processed by the next command in the pipeline, and so forth.

If you don't begin the command string with a search, you must provide some other data to the pipeline. There are only a few other ways:

  • inputlookup: reads the contents of a lookup into the pipeline
  • dbquery: runs a query and returns the results into the pipeline
  • metadata: returns info about sources, sourcetypes or hosts by examining metadata files; puts the info into the pipeline

There may be others, but this is all I could think of up front.

lguinn2
Legend

Have you tried it? Did you get an error?

There is no requirement that searches must contain an index or a sourcetype. And, the lookup doesn't depend on index or sourcetype, either.

As you have written it, it does depend on having a field named item1 in the pipeline. But otherwise, it should work - unless there is another problem that I can't see...

0 Karma

rdownie
Communicator

This is what I am trying as a macro:
| eval NAME=$username$ | lookup DB.PEOPLE NAME output UID | fields UID

when it inspects it, it adds a search in front of it all and appears to just do a full dump of all sourcetypes.
when I try removing the leading pipe
eval NAME=$username$ | lookup DB.PEOPLE NAME output UID | fields UID
when I run this, I get nothing back. I should.

Thanks for looking at this.
-Bob

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...