Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Why does the dbxquery break when put into the dashboard?

DerBastler
New Member
‎05-28-2018 08:11 AM

Hey there,

I stumbled over an issue with a dbxquery. While it works perfectly fine outside of a dashboard, it breaks when I put it into the dashboard.

I am basically putting together a query like this:

| table myips
| eval myquery = "SELECT yadda yadda WHERE data_ip in (".myips.");"
| map search="| dbxquery connection=SomeDatabase query=$myquery$"

And it works perfectly fine, however once I put it into a dashboard it starts to break.
First, the dashboard is looking for input. If I create a dummy inputfield with the token myquery, it will give out an error:
"[map]: At least a query or stored procedure parameter is required."

I also tried to put it together and mix the double quotes with the single quotes but that doesn't work either.

Do you have any other idea on how to do that? Just using dbxquery without the map command is not working either as the db connection has to occur in the middle of the splunk query.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎05-29-2018 05:38 AM

@DerBastler, please try the following. You need to escape the $ sign in token with $$ in the dashboard:

 <yourCurrentSearch>
 | table myips
 | map search="| dbxquery connection=SomeDatabase query=\"SELECT yadda yadda WHERE data_ip in (\"$$myips$$\")\""

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

DerBastler
New Member
‎05-29-2018 05:45 AM

Cool, yeah, double $ work well, thanks a lot! 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎05-29-2018 05:38 AM

@DerBastler, please try the following. You need to escape the $ sign in token with $$ in the dashboard:

 <yourCurrentSearch>
 | table myips
 | map search="| dbxquery connection=SomeDatabase query=\"SELECT yadda yadda WHERE data_ip in (\"$$myips$$\")\""

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎05-28-2018 10:14 AM

@DerBastler, have you tried the following in dashboard?

<yourCurrentSearch>
| table myips
| map search="| dbxquery connection=SomeDatabase query=\"SELECT yadda yadda WHERE data_ip in (\"$myips$\")\""
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

DerBastler
New Member
‎05-29-2018 02:23 AM

Keeping the the (\".myips.\") intact breaks with an error:

expected something between '(' and '.'.
so likely escaping the field breaks it.

also exchanging this to (\"$myips$\")\"
as described in your example results in the old problem that the dashboard is waiting for some input for myips.

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎05-29-2018 05:27 AM

Can you try escaping $ with $$ i.e.

(\"$$myips$$\")\"

One more thing you can try is using token with string escaping i.e.

($myips|s$)\"

I will try to mimic with similar map command use case as I current do not have DB Connect to test dbxquery.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...