How to connect two databases from different server...

razzeri · ‎01-19-2023

Hello guys. I received this task at my job, and I still need money in my pocket, so please help me :))
I'm in a Network Operational team; maybe this will help you understand better the following description.

So, In a single Splunk search I have to connect 2 databases, from different servers.

One DB contains "Incidents": Incident ID, Start time of the Incident (Let's call it A), End time of the incident (B)
The other DB contains "Call Complaints": The timestamp of each Call complaint (C).

I need to find out the amount of call complaints for each incident. So, if C>=A AND C<=B, we count a call complaint for a specific incident, and we can move on to check the next C timestamp, and so on.

I have issues right from the start. I tried to connect the databases with the next syntax:

| dbxquery query=[...] connection=A
| join
[ dbxquery query=[...] connection=B]

But, when I try a table command to see the interesting fields for me (Incident ID, A, B, C), the fields from the joined DB are looking the same on each line..
Could you please help me with this?

scelikok · ‎01-19-2023

Hi @razzeri,

Join command default type is INNER which tries to match all possible fields. Can you try below?

Assuming connection A is your Incidents table.

| dbxquery query=[...]  connection=A
| join type=left max=0 INCIDENT_NUMBER
              [ dbxquery  query=[...]  connection=B]

If this reply helps you an upvote and "Accept as Solution" is appreciated.

razzeri · ‎01-19-2023

I think I need a new "time" field to link with both DB. But how??

How to connect two databases from different servers with join command?

Other

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability