Re: database conditional input

hugohctint · ‎05-06-2018

I have an oracle database connection that I need to run a select and look for records and then check whether or not each one if does not exist needs to be included as a new event. I had set a dbconnect input but I do not thing it would accept any conditional command against an index or sourcetype.

Thanks in advance for your help

hugohctint · ‎05-07-2018

Hello Woodcock,
It think It is actually the other way. I need to find records on the database SELECT statement under a condition and then check if if they do not exist in the index as an event. Only if the new value does not exist in the index I need to "insert it" as a new event on the index.

woodcock · ‎05-06-2018

Now we are talking; try this:

index=customer
| stats count by customer
| table customer
| rename customer AS dropme
| format "customer IN(" "" "" "," "" ")"
| rex field=search mode=sed "s/dropme=//g s/,\s*\)/)/"
| map search="|dbxquery ... \"SELECT * FROM Cust_NUM > \"100\" AND $search$\""

hugohctint · ‎05-06-2018

sure, I give you an example (just seudo code):

something like... dbxquery < param> "SELECT * FROM Customer where Cust_NUM > "100" | search index=customer| if (customer) exits then "add the event into index" else skip

Is it more clear now?

hugohctint · ‎05-06-2018

sure, I give you an example (just seudo code):

something like... dbxquery < param> "SELECT * FROM Customer where Cust_NUM > "100" | search index=customer| if (customer) exits then "add the event into index" else skip

Is it more clear now?

woodcock · ‎05-06-2018

I do not get the "look for" and "check whether" parts. We need much more detail here.

database conditional input

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk