Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to connect two databases from different servers with join command?

razzeri
Observer
‎01-19-2023 11:55 AM

Hello guys. I received this task at my job, and I still need money in my pocket, so please help me :)) 
I'm in a Network Operational team; maybe this will help you understand better the following description.

So, In a single Splunk search I have to connect 2 databases, from different servers

One DB contains "Incidents"Incident ID, Start time of the Incident (Let's call it A), End time of the incident (B)
The other DB contains  "Call Complaints"The timestamp of each Call complaint (C).

I need to find out the amount of call complaints for each incident. So, if C>=A AND C<=B, we count a call complaint for a specific incident, and we can move on to check the next C timestamp, and so on. 

I have issues right from the start. I tried to connect the databases with the next syntax:

| dbxquery query=[...]  connection=A
| join
              [ dbxquery  query=[...]  connection=B]

But, when I try a table command to see the interesting fields for me (Incident ID, A, B, C), the fields from the joined DB are looking the same on each line..Capture.PNG
Could you please help me with this? 

0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎01-19-2023 06:26 PM

Hi @razzeri,

Join command default type is  INNER which tries to match all possible fields. Can you try below?

Assuming connection A is your Incidents table.

| dbxquery query=[...]  connection=A
| join type=left max=0 INCIDENT_NUMBER
              [ dbxquery  query=[...]  connection=B]

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

razzeri
Observer
‎01-19-2023 12:22 PM

I think I need a new "time" field to link with both DB. But how??

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...