Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

DB Lookup using SQL Server

dbuchanan46
New Member
‎05-05-2014 02:18 PM

Hello,

I have a simple search containing clientid that relates back to an ID in one of my SQL Server tables. The search is:

sourcetype="twitter.newIndex.stats" | chart count by clientId | sort -count by clientId

In my SQL Server Clients table I have a field called provId that is the same as ClientId in my Splunk search. I would like to display the Clients desciption(clientProj) based on this relationship. I've created the connection to the database and I have used DB Connect to create a query that displays all the project descriptions based on the same client ID. The actual query is:

SELECT provId, clientProj FROM dbo.Clients

What is the easiest way to use this query as a lookup within my Splunk Search? My clients will grow over time, so the table is not static.

Thanks for your help.

0 Karma
Reply

ilink_splunk
Splunk Employee
Splunk Employee
‎05-08-2014 09:48 AM

Check out the docs for creating a lookup with db connect. Make sure you index your lookup database table first. Also, it is probably best to avoid the dblookup command, at least in production.

Reply
Register for .conf25!
Get Updates on the Splunk Community!

Splunk ITSI & Correlated Network Visibility

  Now On Demand   Take Your Network Visibility to the Next Level In today’s complex IT environments, ...

Community Content Calendar, August edition

In the dynamic world of cybersecurity, staying ahead means constantly solving new puzzles and optimizing your ...

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Heading to your first .Conf? You’re in for an unforgettable ride — learning, networking, swag collecting, ...
Top