All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

map search with dbxquery is not returning any Result

manunairadavakk
Path Finder
‎07-25-2019 11:00 PM

Hey there,

I have stumbled upon an issue where my below dbxquery map search is not yielding any results.
My intention is to pass a list of student_id values derived from my initial search to the dbxquery and get a list of state with their counts.

index="syslog" TERM(AUS)
| table student_id
| map search="dbxquery query=\"select distinct address_state, count(*)
FROM stud.common.details WHERE site='$student_id$' group by address_state\" connection=Student"

Reply

hettervik
Builder
‎06-04-2021 07:09 AM

Looks like I'm facing the same issue. When I run the dbxquery directly from the SPL search window it works just fine, but inside the map-command it just hangs forever. Did you ever get this to work?

0 Karma
Reply

Nikitha
Explorer
‎09-21-2020 04:29 AM

Hi, were you able to solve the problem ? I am facing the same issue

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-26-2019 12:22 AM

@manunairadavakkat

try by adding |.

index="syslog" TERM(AUS)
| table student_id
| map search="| dbxquery query=\"select distinct address_state, count(*)
FROM stud.common.details WHERE site='$student_id$' group by address_state\" connection=Student"
Reply

manunairadavakk
Path Finder
‎07-26-2019 12:34 AM

@kamlesh_vaghela
Tried the below query, but no results being displayed, only displays count of events.

index="syslog" TERM(AUS)
| table student_id
| map search="| dbxquery connection=Student query=\"select distinct address_state, count(*)
FROM stud.common.details WHERE group by address_state\" | site='$student_id$' "

Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-26-2019 12:43 AM

@manunairadavakkat

What are your required columns?

0 Karma
Reply

manunairadavakk
Path Finder
‎07-26-2019 12:46 AM

@kamlesh_vaghela
Required columns : address_state, count(*)

It should include all those student_id from the earlier search ----
index="syslog" TERM(AUS)
| table student_id

Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-26-2019 01:07 AM

@manunairadavakkat

Can you please try this?

index="syslog" TERM(AUS)
| table student_id
| map search="| dbxquery connection=Student query=\"select distinct address_state, count(*) as count
FROM stud.common.details WHERE group by address_state\" | site='$student_id$' | eval student_id='$student_id$' | table student_id address_state count"
Reply

manunairadavakk
Path Finder
‎07-26-2019 01:18 AM

@kamlesh_vaghela
It does not give any results.

Only the below count is shown:

21,657 events   (26/07/2019 18:01:01.000 to 26/07/2019 18:16:01.000)

"No results found" message in the result box

Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-26-2019 02:17 AM

@manunairadavakkat

Can you please execute below search by passing student_id and check results?

| dbxquery connection=Student query="select distinct address_state, count(*) as count
FROM stud.common.details WHERE group by address_state" | site='$student_id$' | eval student_id='$student_id$' | table student_id address_state count

Reply

manunairadavakk
Path Finder
‎07-26-2019 03:39 AM

@kamlesh_vaghela

Ran the query directly, it shows 117 results.
When running the above query as well, it shows event count as 117, but no results are displayed

Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-26-2019 04:10 AM

is it possible to share a screenshot?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...