Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

DBConnect dobbel quotes in key value pair

lyngstad
Loves-to-Learn Lots
‎11-07-2024 03:25 AM

Hello

I have a DBConnect query that gets data from a database and then send it to a Splunk index. Below are the query and also how it looks in Splunk. The data is being indexed as key=value pair with dobbel quotes around "value". I have plenty of other data that is not using DBConnect and they dont have dobbel quotes around value.  

Maybe the quotes is there because im using DBConnect?

Is it possible to index data from DBConnect without adding the quotes?

When i try to searc the data in Splunk i just dont get any data. I think it may have to do with the dobbel quotes? I'm not sure.

Here are the search string. The air_temp is defined in the Climate datamodel. The TA(air temperature) in the data is defined in props.conf with the right sourcetype TU_CLM_Time.

| tstats avg(Climate.air_temp) as air_temp from datamodel="Climate" where sourcetype="TU_CLM_Time" host=TU_CLM_1 by host _time span=60m ```Fetching relevant fields from CLM sourcetype in CLM datamodel.```

lyngstad_1-1730978071144.png

 

lyngstad_0-1730977707554.png

lyngstad_2-1730978147918.png

lyngstad_3-1730978339570.png

 

 

Labels (1)
Labels
0 Karma
Reply

victor_menezes
Communicator
‎11-07-2024 06:41 AM

Hi @lyngstad ,

Based in your search results screenshot, you get the values from the by clause but lack the calculation of air temp, so I guess the trick is to format the datamodel to be measured (so yes, it may be related to some double quotes around the values).

Can you try this then? Trying to get it via "values" so we can later convert to number and remove the quotes, which will allow average metric.

| tstats values(Climate.air_temp) as air_temp_raw from datamodel="Climate" where sourcetype="TU_CLM_Time" host=TU_CLM_1 by host _time span=60m
| eval air_temp_numeric = tonumber(trim(air_temp_raw, "\""))
| stats avg(air_temp_numeric) as air_temp by host _time

  

0 Karma
Reply

lyngstad
Loves-to-Learn Lots
‎11-07-2024 07:02 AM

Hi

Thanks for answering.

I tried the search you provided with no luck.

lyngstad_0-1730991651926.png

 

0 Karma
Reply

victor_menezes
Communicator
‎11-07-2024 08:38 AM

Okay, in this case, please share the search that renders the datamodel. Perhaps you can do the replace there to make sure there are no double quotes returned on Climate.air_temp field.

0 Karma
Reply

lyngstad
Loves-to-Learn Lots
‎11-07-2024 11:38 PM

Okey, so i dont now exactly where the search is. I have the datamodel.

lyngstad_0-1731051298688.png

lyngstad_1-1731051340732.png

lyngstad_2-1731051482009.png

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Search APIを使えば調査過程が残せます

   このゲストブログは、JCOM株式会社の情報セキュリティ本部・専任部長である渡辺慎太郎氏によって執筆されました。 Note: This article is published in both Japanese ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...