Re: DB Lookup using SQL Server

dbuchanan46 · ‎05-05-2014

Hello,

I have a simple search containing clientid that relates back to an ID in one of my SQL Server tables. The search is:

sourcetype="twitter.newIndex.stats" | chart count by clientId | sort -count by clientId

In my SQL Server Clients table I have a field called provId that is the same as ClientId in my Splunk search. I would like to display the Clients desciption(clientProj) based on this relationship. I've created the connection to the database and I have used DB Connect to create a query that displays all the project descriptions based on the same client ID. The actual query is:

SELECT provId, clientProj FROM dbo.Clients

What is the easiest way to use this query as a lookup within my Splunk Search? My clients will grow over time, so the table is not static.

Thanks for your help.

ilink_splunk · ‎05-08-2014

Check out the docs for creating a lookup with db connect. Make sure you index your lookup database table first. Also, it is probably best to avoid the dblookup command, at least in production.

DB Lookup using SQL Server

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Casting Call: Compete in Cyber Games

Announcing Modern Navigation: A New Era of Splunk User Experience

How Edge Processor's Durable Queue Works

Join the Conversation