We are using HCL BigFix and HCL Insights as a data warehouse. There have been times when the import of data from HCL BigFix to HCL Insights has partially failed with no indication a failure has occurred. We would like to verify the HCL Insights data imported into Splunk against the HCL BigFix databases. Is there a way to run SPL that checks what's in Splunk against an external MS SQL database?
I know how to create a db connector and setup a read only account. But I don't want to import data from the database, just verify the data already in Splunk.
index=patch sourcetype="ibm:bigfix:Patch" | table BigFixDatabasePathTxt ComputerDNSNm ComputerId FixletId FixletIsRelevantInd FixletLastBecameRelevantDtm | join type=inner ComputerId [ | dbxquery query="select BigFixDatabasePathTxt ComputerDNSNm ComputerId FixletId FixletIsRelevantInd FixletLastBecameRelevantDtm from patch where {put SPL output here?}]
We'd like the output to only show unmatched data.