Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Rowcount comparisons on large numbers of database tables

mcomfurf
Path Finder
‎04-27-2015 11:44 AM

I'm working with a customer to run rowcount comparisons between two tables that are replicating data in one direction, from A>B, and alert if the delta between the two is more than x%.

If the results of select count * from DB_A_Table_1 are more than +/- 5% different from the results of select count * from DB_B_Table_1, then we trigger an alert. The POC was against a single pair of tables, and worked so well the customer now wants about 170 pairs of tables compared. I have to imagine there's a more elegant way to do this than to set up 340 DBConnect queries to index and then 170 alerts, though I do want to index rowcount results each time so we can see trends when troubleshooting.

If someone has done this in the past, your guidance is appreciated. If no one pipes up, I will post the solution when I arrive at one, hopefully only slightly balder and greyer then I am at the time of this writing.

Tags (2)
Reply

woodcock
Esteemed Legend
‎05-12-2015 01:48 PM

I vaguely recall (but could not confirm after searching for a bit) that when you first connect to a DB, before you give any dbquery commands, Splunk receives a table summary that includes rowcount and a few other things. If this is true, you can just do connections and no queries and save a bunch of time/effort.

0 Karma
Reply

ppablo
Retired
‎04-27-2015 11:56 AM

Hi @mcomfurf

It'll be helpful for other users if you could provide more details in your post. What version of Splunk are you using? What version of DB Connect? Do you have an expected output/format? What have you tried so far that works or doesn't work? You should always provide as much detail as possible to save people time from asking you all these questions to gather information.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...