Splunk Search

DBX > 1.2 rising_column in query problem

StewGoin1
Explorer

So, to get around the known issue with rising_column not being able to be fully qualified (which is sort of required for how we poll ePO data via SQL) we implemented a different workaround than a wrapper query since that seems like it would be very hard to do without selecting every event (since we're trying to use EPOEvents.AutoID as the rising column).

So that column was mapped to event_id in the beginning of the query, then we set the rising_column to event_id and in the query never referenced $rising_column$ as a variable, just the checkpoint ?, i.e.:

{{WHERE EPOEvents.AutoID > ? }}

This worked just fine through 1.1.1, but when we patched to 1.1.2 the dbx.log would show that the query was invalid and contain this error that clued us into something being different in how 1.1.2 was parsing / requiring $rising_column$ within the query itself:

without proper {{ ... $rising_column$ > ?}} pattern!

Is there anyway to force 1.1.2 or 1.1.3 now to NOT try and validate that the query is using $rising_column$ within the query? It prevents us from upgrading right now.

jcoates_splunk
Splunk Employee
Splunk Employee

There were some issues with DB Connect 1.1.3 and prior, use this with 1.1.4: http://apps.splunk.com/app/1819/

0 Karma

dshpritz
SplunkTrust
SplunkTrust

I ran in to this as well. I think my solution was to set the rising column to "AutoID" and then chance the where clause to:

{{WHERE EPOEvents.$rising_column$ > ?}}

You may need to adjust your rising column in the the tracking file. More on that here.

HTH,

Dave

dshpritz
SplunkTrust
SplunkTrust

There are some possible workarounds in the release notes: http://docs.splunk.com/Documentation/DBX/latest/DeployDBX/Releasenotes

0 Karma

StewGoin1
Explorer

So, in attempting this I get the "AutoID column doesn't appear in results" errors. DBX not handling fully qualified column names seems to be making this just not work.

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...