How do you use the Database Connect Alert Action?

Andre_ · ‎07-07-2025

Hello,

I have Database Connect setup and it's working all fine. But I can't wrap my head around how the Alert Action works.

The Alert action "Output results to databases" has no parameters - what am I missing?

I have a DB table "test_table" with columns col1, col2 and want to setup

|  makeresults  
|  eval col1 = "test", col2 = "result"

as an alert that pushes the results into the "test_table". I would expect the Alert action to at least need to know what DB Output to use?

Any help appreciated,

Kind Regards
Andre

Andre_ · ‎07-17-2025

I found some more information, when I go:

Apps -> DBX -> search -> save as alert -> I get the Output Name field

but if I go:
Apps -> other app (like Search & Reporting) -> search -> save as alert -> I don't get the Output Name field

Any ideas what that could be?

Kind Regards,
Andre

PrewinThomas · ‎07-07-2025

@Andre_

Did you create database outputs first? The alert action does not prompt for parameters because it uses the mapping and connection you set up in the DB Connect app’s Outputs.

#https://help.splunk.com/en/splunk-cloud-platform/connect-relational-databases/deploy-and-use-splunk-...

If you want to test it manually, use | dbxoutput output="output_to_test_table" in your SPL

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Andre_ · ‎07-08-2025

The document you linked states in step 5 for creating and alert: “Enter the Output Name. The output name must exist in DB Connect.”

I have no option to enter the output name. Says no parameters required.

PrewinThomas · ‎07-08-2025

Your DB Connect version?

Andre_ · ‎07-08-2025

Latest 3.x, haven’t updated to 4.0.0 yet (not a fan of 0s)

PrewinThomas · ‎07-08-2025

@Andre_

I can see option to enter Output Name with DbConenct version 4. There might be bug/ui issue with your particular 3.x version, not sure.

Also i saw an option by directly editing savedsearches.conf, which i haven't tested. You can try this if you can't upgrade to 4.

After saving your alert, add below entry to your .conf with your db output name

action.db_output = 1
action.db_output.param.output = output_to_test_table

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Andre_ · ‎07-08-2025

When you set up the alert - what app are you using? Wondering if it’s a permission issue?
My alert is defined in the search app.

Andre_ · ‎07-08-2025

Hi,

yes, all is setup and works well when used manually. I can use SPL to update the database table.

i am unable to use the db connect alert action.

i have 3 outputs configured in DBX. Now I am setting up an alert and choose the db connect alert action. It’s not working. And in my mind it can’t because I have no way to tell it what output to use?

if someone has an dbx alert configured and could share the config that might clear up my confusion.

Kind regards,
Andre

How do you use the Database Connect Alert Action?

other

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

How do you use the Database Connect Alert Action?

other

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?