Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: Why does the dbxquery break when put into the ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey there,
I stumbled over an issue with a dbxquery. While it works perfectly fine outside of a dashboard, it breaks when I put it into the dashboard.
I am basically putting together a query like this:
| table myips
| eval myquery = "SELECT yadda yadda WHERE data_ip in (".myips.");"
| map search="| dbxquery connection=SomeDatabase query=$myquery$"
And it works perfectly fine, however once I put it into a dashboard it starts to break.
First, the dashboard is looking for input. If I create a dummy inputfield with the token myquery, it will give out an error:
"[map]: At least a query or stored procedure parameter is required."
I also tried to put it together and mix the double quotes with the single quotes but that doesn't work either.
Do you have any other idea on how to do that? Just using dbxquery without the map command is not working either as the db connection has to occur in the middle of the splunk query.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@DerBastler, please try the following. You need to escape the $ sign in token with $$ in the dashboard:
<yourCurrentSearch>
| table myips
| map search="| dbxquery connection=SomeDatabase query=\"SELECT yadda yadda WHERE data_ip in (\"$$myips$$\")\""
Please try out and confirm!
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cool, yeah, double $ work well, thanks a lot! 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@DerBastler, please try the following. You need to escape the $ sign in token with $$ in the dashboard:
<yourCurrentSearch>
| table myips
| map search="| dbxquery connection=SomeDatabase query=\"SELECT yadda yadda WHERE data_ip in (\"$$myips$$\")\""
Please try out and confirm!
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@DerBastler, have you tried the following in dashboard?
<yourCurrentSearch>
| table myips
| map search="| dbxquery connection=SomeDatabase query=\"SELECT yadda yadda WHERE data_ip in (\"$myips$\")\""
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Keeping the the (\".myips.\") intact breaks with an error:
expected something between '(' and '.'.
so likely escaping the field breaks it.
also exchanging this to (\"$myips$\")\"
as described in your example results in the old problem that the dashboard is waiting for some input for myips.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try escaping $ with $$ i.e.
(\"$$myips$$\")\"
One more thing you can try is using token with string escaping i.e.
($myips|s$)\"
I will try to mimic with similar map command use case as I current do not have DB Connect to test dbxquery.
| makeresults | eval message= "Happy Splunking!!!"
Fastest way to demo Observability
September Community Champions: A Shoutout to Our Contributors!
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
