Solved: Query SQL DB and ingest results to index?

bpitts2 · ‎10-03-2015

We have a system that stores very valuable data into a SQL database. I'd rather not ingest the entire DB (because it's huge). I'm wondering what strategy I should go with to get just the results of a specific query.

Let's say for example I want to index the the results of something like:

SELECT Count(*)
FROM sample_table
WHERE date > '2015-10-03 00:00:00'

I'd like to do this on an hourly interval. So I was thinking, I could write a script using sqlcmd such as:

sqlcmd -S theServer-d thisDB -E -Q "SELECT Count(*) FROM sample_table WHERE date > '2015-10-03 00:00:00'" -o "SQLOut.txt"

Then I would setup a monitor on that file.

Is there a less rube goldberg way of doing this, maybe using DB Connect 2?

Thanks in advance!

muebel · ‎10-03-2015

Yup, DB Connect is absolutely the way to go with this. You can setup a database input that will basically "tail" a query on the DB, indexing new results as they are found.

View solution in original post

muebel · ‎10-03-2015

Yup, DB Connect is absolutely the way to go with this. You can setup a database input that will basically "tail" a query on the DB, indexing new results as they are found.

Query SQL DB and ingest results to index?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation