- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: dbquery show database name in results
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dbquery show database name in results
When using the DB connector, is it possible to show either the hostname or a fixed string alongside the query results?
The reason is, I have a dbquery which uses |append that talks to multiple databases to show the results in one table.
It queries 7 hosts and pulls out some information from the same database name in each host, but when it finds a result, I am not sure which host it has found the information in.
Example:
| dbquery "NPS-01" "select * from _v_dslice where DS_STATUS='Healthy' order by ds_id" | append [| dbquery "NPS-03" "select * from _v_dslice where DS_STATUS='Healthy' order by ds_id"]
It will show both results in one table, which is great but I would be happy with an additional column that shows the hostname alongside each query result.
I would be fine with reporting a hard coded string along with each query if that would solve it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Depending upon what database you're using, you could use SQL to fetch the database name. Then you could use the union SQL command to append it in a column. I don't think this would be possible using the splunk search language, unless you wanted to hardcode it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
does your dbquery return any records? eval should be placed after your parent query.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately that doesn't return any results 😕
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
...|eval dbconnector=xxx|fields + dbconnector
|stats count by dbconnector
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unknown search command 'field'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes you can, |eval dbconnector=xxx|field + dbconnector
|stats count by dbconnector
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, it isn't necessarily the database name that I'd want to show per-se, I'd either show the name of the connector that I'm calling (I.E. NPS-01) or hard code a string to show "server-01" or whatever.
For example, in splunk graphing, it's possible to add a dummy static value to appear on a chart by doing an eval.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
