Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to connect two databases from different servers with join command?

razzeri
Observer
‎01-19-2023 11:55 AM

Hello guys. I received this task at my job, and I still need money in my pocket, so please help me :)) 
I'm in a Network Operational team; maybe this will help you understand better the following description.

So, In a single Splunk search I have to connect 2 databases, from different servers

One DB contains "Incidents"Incident ID, Start time of the Incident (Let's call it A), End time of the incident (B)
The other DB contains  "Call Complaints"The timestamp of each Call complaint (C).

I need to find out the amount of call complaints for each incident. So, if C>=A AND C<=B, we count a call complaint for a specific incident, and we can move on to check the next C timestamp, and so on. 

I have issues right from the start. I tried to connect the databases with the next syntax:

| dbxquery query=[...]  connection=A
| join
              [ dbxquery  query=[...]  connection=B]

But, when I try a table command to see the interesting fields for me (Incident ID, A, B, C), the fields from the joined DB are looking the same on each line..Capture.PNG
Could you please help me with this? 

Labels (1)
Labels
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎01-19-2023 06:26 PM

Hi @razzeri,

Join command default type is  INNER which tries to match all possible fields. Can you try below?

Assuming connection A is your Incidents table.

| dbxquery query=[...]  connection=A
| join type=left max=0 INCIDENT_NUMBER
              [ dbxquery  query=[...]  connection=B]

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

razzeri
Observer
‎01-19-2023 12:22 PM

I think I need a new "time" field to link with both DB. But how??

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...