Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk DB Connect 1: How to enrich the dbquery output to show the database name that systems come from?

hartfoml
Motivator
‎04-02-2015 12:16 PM

I have a query that looks through 55 databases using a UNION command that looks like this:

| dbquery "MyDatabase" "(SELECT * FROM ORG2.MACHINE) UNION (SELECT * FROM ORG3.MACHINE) UNION (SELECT * FROM ORG4.MACHINE) UNION (SELECT * FROM ORG5.MACHINE) UNION (SELECT * FROM ORG6.MACHINE) UNION (SELECT * FROM ORG7.MACHINE) UNION (SELECT * FROM ORG8.MACHINE) UNION (SELECT * FROM ORG9.MACHINE) UNION (SELECT * FROM ORG10.MACHINE) UNION (SELECT * FROM ORG11.MACHINE) UNION (SELECT * FROM ORG12.MACHINE) UNION (SELECT * FROM ORG13.MACHINE) UNION (SELECT * FROM ORG14.MACHINE) UNION (SELECT * FROM ORG15.MACHINE) UNION (SELECT * FROM ORG16.MACHINE) UNION (SELECT * FROM ORG17.MACHINE) UNION (SELECT * FROM ORG18.MACHINE) UNION (SELECT * FROM ORG19.MACHINE) UNION (SELECT * FROM ORG20.MACHINE) UNION (SELECT * FROM ORG21.MACHINE) UNION (SELECT * FROM ORG22.MACHINE) UNION (SELECT * FROM ORG23.MACHINE) UNION (SELECT * FROM ORG24.MACHINE) UNION (SELECT * FROM ORG25.MACHINE) UNION (SELECT * FROM ORG26.MACHINE) UNION (SELECT * FROM ORG27.MACHINE) "

I can add the search to find one particular machine like this | search IP=xxx.xxx.xxx.xxx

I would like to know from which of the 55 databases the system came from so I can look up more information from one of the other tables in that database related to that system.

How can i enrich the output to show the database name that the systems come from?

0 Karma
Reply

jcoates_splunk
Splunk Employee
Splunk Employee
‎04-11-2015 01:40 PM

I don't think you can do this with dbquery, unless you can get the SQL statement to emit the value you want. That's probably possible, but it will be very database-specific.

If you index the data instead, you can set the host or source value.

0 Karma
Reply

hartfoml
Motivator
‎04-03-2015 06:18 AM

Thanks @ppablo_splunk for making the title more understandable and adding the new tag for the app!! I really appreciate your help 🙂

Reply

ppablo
Retired
‎04-06-2015 01:31 PM

No problem @hartfoml 🙂 I hope you find an answer to your question soon!

0 Karma
Reply
Get Updates on the Splunk Community!

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Automatic Discovery Part 2: Setup and Best Practices

In Part 1 of this series, we covered what Automatic Discovery is and why it’s critical for observability at ...