DB Lookup using SQL Server

dbuchanan46 · ‎05-05-2014

Hello,

I have a simple search containing clientid that relates back to an ID in one of my SQL Server tables. The search is:

sourcetype="twitter.newIndex.stats" | chart count by clientId | sort -count by clientId

In my SQL Server Clients table I have a field called provId that is the same as ClientId in my Splunk search. I would like to display the Clients desciption(clientProj) based on this relationship. I've created the connection to the database and I have used DB Connect to create a query that displays all the project descriptions based on the same client ID. The actual query is:

SELECT provId, clientProj FROM dbo.Clients

What is the easiest way to use this query as a lookup within my Splunk Search? My clients will grow over time, so the table is not static.

Thanks for your help.

ilink_splunk · ‎05-08-2014

Check out the docs for creating a lookup with db connect. Make sure you index your lookup database table first. Also, it is probably best to avoid the dblookup command, at least in production.

DB Lookup using SQL Server

Maximizing the Value of Splunk ES 8.x

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Introducing .conf Stories Series!

Are you a member of the Splunk Community?

DB Lookup using SQL Server

Maximizing the Value of Splunk ES 8.x

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Introducing .conf Stories Series!