Archive
Highlighted

Check logs against two database tables

Engager

I would like to have one single saved search to check logs against 2 tables in a database.
Checking against one table is working fine for me.

The method I'm using is to form an inner join with the first table and the logs.

If I attempt to join another table I receive this error:

Error in 'dbquery' command: This command must be the first command of a search.

Is there another method I could try?

Thanks in advance

0 Karma
Highlighted

Re: Check logs against two database tables

SplunkTrust
SplunkTrust

It would be helpful to see the queries you've tried thus far.

If you have the appropriate permissions, consider creating a stored procedure that does the table join for you. Invoke the SP first using dbquery then pipe those results into other search commands that combine data from the logs.

---
If this reply helps you, an upvote would be appreciated.
0 Karma