Archive
Highlighted

Splunk DB Connect: Can the lookup table for defining extra fields in a datamodel be a dblookup?

Path Finder

It seems that the lookup table for defining extra fields in datamodel can not be a dblookup (database lookup)? Can someone confirm this is the case and not a bug?

The dblookup works fine in standalone search, but I am not able to make it to work in datamodel editor.

0 Karma
Highlighted

Re: Splunk DB Connect: Can the lookup table for defining extra fields in a datamodel be a dblookup?

Splunk Employee
Splunk Employee

I think that's correct... if you can take a bit of delay in recognizing the new schema, you can use the dblookup to regularly generate a new Splunk lookup.

0 Karma
Highlighted

Re: Splunk DB Connect: Can the lookup table for defining extra fields in a datamodel be a dblookup?

Contributor

Could you pls elaborate more what do you mean by "you can use the dblookup to regularly generate a new Splunk lookup"?

0 Karma
Highlighted

Re: Splunk DB Connect: Can the lookup table for defining extra fields in a datamodel be a dblookup?

Splunk Employee
Splunk Employee

a saved search that looks something like this:
dblookup mydb "select * from mytable" | outputlookup mylookup
then you use mylookup in your searches

0 Karma
Highlighted

Re: Splunk DB Connect: Can the lookup table for defining extra fields in a datamodel be a dblookup?

Contributor

Did you mean |dbquery instead of |dblookup.
I was using |dbquery but the lookup file kept growing and its huge. To avoid this we also wanted to implement dblookup in datamodel.

0 Karma
Highlighted

Re: Splunk DB Connect: Can the lookup table for defining extra fields in a datamodel be a dblookup?

Splunk Employee
Splunk Employee

d'oh -- yes, that is what i meant... can you use a SQL limit to keep the size of your query down?

0 Karma
Highlighted

Re: Splunk DB Connect: Can the lookup table for defining extra fields in a datamodel be a dblookup?

Contributor

no as lookup can be done to any record for last one year.

0 Karma
Highlighted

Re: Splunk DB Connect: Can the lookup table for defining extra fields in a datamodel be a dblookup?

Splunk Employee
Splunk Employee

maybe it would work better to dbquery blah | dedup eventid | collect mysummary?

0 Karma
Highlighted

Re: Splunk DB Connect: Can the lookup table for defining extra fields in a datamodel be a dblookup?

Contributor

We thought about that but not preferable to create new summary index in this case.

0 Karma