Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk DB Connect 1: How to enrich the dbquery output to show the database name that systems come from?

hartfoml
Motivator
‎04-02-2015 12:16 PM

I have a query that looks through 55 databases using a UNION command that looks like this:

| dbquery "MyDatabase" "(SELECT * FROM ORG2.MACHINE) UNION (SELECT * FROM ORG3.MACHINE) UNION (SELECT * FROM ORG4.MACHINE) UNION (SELECT * FROM ORG5.MACHINE) UNION (SELECT * FROM ORG6.MACHINE) UNION (SELECT * FROM ORG7.MACHINE) UNION (SELECT * FROM ORG8.MACHINE) UNION (SELECT * FROM ORG9.MACHINE) UNION (SELECT * FROM ORG10.MACHINE) UNION (SELECT * FROM ORG11.MACHINE) UNION (SELECT * FROM ORG12.MACHINE) UNION (SELECT * FROM ORG13.MACHINE) UNION (SELECT * FROM ORG14.MACHINE) UNION (SELECT * FROM ORG15.MACHINE) UNION (SELECT * FROM ORG16.MACHINE) UNION (SELECT * FROM ORG17.MACHINE) UNION (SELECT * FROM ORG18.MACHINE) UNION (SELECT * FROM ORG19.MACHINE) UNION (SELECT * FROM ORG20.MACHINE) UNION (SELECT * FROM ORG21.MACHINE) UNION (SELECT * FROM ORG22.MACHINE) UNION (SELECT * FROM ORG23.MACHINE) UNION (SELECT * FROM ORG24.MACHINE) UNION (SELECT * FROM ORG25.MACHINE) UNION (SELECT * FROM ORG26.MACHINE) UNION (SELECT * FROM ORG27.MACHINE) "

I can add the search to find one particular machine like this | search IP=xxx.xxx.xxx.xxx

I would like to know from which of the 55 databases the system came from so I can look up more information from one of the other tables in that database related to that system.

How can i enrich the output to show the database name that the systems come from?

0 Karma
Reply

jcoates_splunk
Splunk Employee
Splunk Employee
‎04-11-2015 01:40 PM

I don't think you can do this with dbquery, unless you can get the SQL statement to emit the value you want. That's probably possible, but it will be very database-specific.

If you index the data instead, you can set the host or source value.

0 Karma
Reply

hartfoml
Motivator
‎04-03-2015 06:18 AM

Thanks @ppablo_splunk for making the title more understandable and adding the new tag for the app!! I really appreciate your help 🙂

Reply

ppablo
Retired
‎04-06-2015 01:31 PM

No problem @hartfoml 🙂 I hope you find an answer to your question soon!

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...