All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

map search with dbxquery is not returning any Result

manunairadavakk
Path Finder
‎07-25-2019 11:00 PM

Hey there,

I have stumbled upon an issue where my below dbxquery map search is not yielding any results.
My intention is to pass a list of student_id values derived from my initial search to the dbxquery and get a list of state with their counts.

index="syslog" TERM(AUS)
| table student_id
| map search="dbxquery query=\"select distinct address_state, count(*)
FROM stud.common.details WHERE site='$student_id$' group by address_state\" connection=Student"

Reply

hettervik
Builder
‎06-04-2021 07:09 AM

Looks like I'm facing the same issue. When I run the dbxquery directly from the SPL search window it works just fine, but inside the map-command it just hangs forever. Did you ever get this to work?

0 Karma
Reply

Nikitha
Explorer
‎09-21-2020 04:29 AM

Hi, were you able to solve the problem ? I am facing the same issue

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-26-2019 12:22 AM

@manunairadavakkat

try by adding |.

index="syslog" TERM(AUS)
| table student_id
| map search="| dbxquery query=\"select distinct address_state, count(*)
FROM stud.common.details WHERE site='$student_id$' group by address_state\" connection=Student"
Reply

manunairadavakk
Path Finder
‎07-26-2019 12:34 AM

@kamlesh_vaghela
Tried the below query, but no results being displayed, only displays count of events.

index="syslog" TERM(AUS)
| table student_id
| map search="| dbxquery connection=Student query=\"select distinct address_state, count(*)
FROM stud.common.details WHERE group by address_state\" | site='$student_id$' "

Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-26-2019 12:43 AM

@manunairadavakkat

What are your required columns?

0 Karma
Reply

manunairadavakk
Path Finder
‎07-26-2019 12:46 AM

@kamlesh_vaghela
Required columns : address_state, count(*)

It should include all those student_id from the earlier search ----
index="syslog" TERM(AUS)
| table student_id

Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-26-2019 01:07 AM

@manunairadavakkat

Can you please try this?

index="syslog" TERM(AUS)
| table student_id
| map search="| dbxquery connection=Student query=\"select distinct address_state, count(*) as count
FROM stud.common.details WHERE group by address_state\" | site='$student_id$' | eval student_id='$student_id$' | table student_id address_state count"
Reply

manunairadavakk
Path Finder
‎07-26-2019 01:18 AM

@kamlesh_vaghela
It does not give any results.

Only the below count is shown:

21,657 events   (26/07/2019 18:01:01.000 to 26/07/2019 18:16:01.000)

"No results found" message in the result box

Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-26-2019 02:17 AM

@manunairadavakkat

Can you please execute below search by passing student_id and check results?

| dbxquery connection=Student query="select distinct address_state, count(*) as count
FROM stud.common.details WHERE group by address_state" | site='$student_id$' | eval student_id='$student_id$' | table student_id address_state count

Reply

manunairadavakk
Path Finder
‎07-26-2019 03:39 AM

@kamlesh_vaghela

Ran the query directly, it shows 117 results.
When running the above query as well, it shows event count as 117, but no results are displayed

Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎07-26-2019 04:10 AM

is it possible to share a screenshot?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...