Splunk Enterprise

How do I search for unknown columns using DB Connect?

genesiusj
Builder

Hello,

Need to perform a search using a list of values and I do not know the field names.

In Splunk, this works.

 

 

 

 

index=employees AND (123456789 OR SMITH OR "1 MAIN STREET")
| table *

 

 

 

 

In SQL I can do this. Note: These are not my table or field names. This is an example from the Internet.

 

 

 

 

DECLARE @ColName varchar(126) = 'col_name'
DECLARE @ColVal varchar(64) = 'col_val'
DECLARE @SQL AS nvarchar(MAX)
SET @SQL = ''
SELECT @SQL = @SQL + 'SELECT * FROM ' + IST.TABLE_SCHEMA + '.' + IST.TABLE_NAME +' where '+ @ColName +' = '''+ @ColVal +''' ' + CHAR(13)
FROM 
    INFORMATION_SCHEMA.TABLES IST
    INNER JOIN INFORMATION_SCHEMA.COLUMNS ISC ON IST.TABLE_NAME = ISC.TABLE_NAME
WHERE
    ISC.COLUMN_NAME = @ColName
EXEC (@SQL)

 

 

 

 

 Is it possible to write the above for DBConnect?

Thanks and God bless,
Genesius

Labels (1)
Tags (3)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

DB Connect just runs SQL queries so if you can write the SQL for it (within reason - I've had complex queries fail under DBX) then it should work.  The example SQL probably won't work, but something like this should:

SELECT * FROM table

You then can use `| table *` to display the columns without knowing their names.

---
If this reply helps you, Karma would be appreciated.
0 Karma

genesiusj
Builder

Thanks, @richgalloway 

That is pretty much what I am doing when I am using Splunk against log data. The problem is I need to search through millions of database records. The number of db records needs to be limited to just those containing the values found before I table them. Otherwise, the dbxquery or dbxlookup commands will take 20, 30 or minutes to complete.

Thanks and God bless,
Genesius

0 Karma

richgalloway
SplunkTrust
SplunkTrust

That calls for a Rising Column.  A Rising Column is a database column with an ever-increasing, non-repeating value that Splunk can use to say "give me everything after *this*".  Of course, you must know the name of that column so you can specify it in the SQL where clause and so Splunk can keep track of it.  See https://docs.splunk.com/Documentation/DBX/3.10.0/DeployDBX/Createandmanagedatabaseinputs#Choose_inpu... for details.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...