Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to convert SQL query to Splunk search?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to convert SQL query to Splunk search?
idkgirly
Loves-to-Learn
04-04-2023
10:13 AM
Hi,
I have the following tables:
asset table:
asset_id
solution_id
vulnerability_id
solution table:
solution_id
solution summary
vulnerability table:
vulnerability_id
title
severity
How do I write a splunk query to show a table that has the asset_id, solution summary, title, and severity?
This would be the SQL query that I use:
SELECT a.asset_id, b.solution_id, b.summary as solution_summary, c.vulnerability_id, c.title as vulnerability_title, c.severity
FROM asset a
JOIN solution b USING (solution_id)
JOIN vulnerability c USING(vulnerability_id)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
04-11-2023
01:26 PM
Where is this data? In SQL DB? In Splunk events? In a Splunk lookup file?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
04-04-2023
11:09 AM
Give this a try
(index=asset_index sourcetype=asset_sourcetype)
| fields asset_id, solution_id, vulnerability_id
| join type=left solution_id [search index=solution_index sourcetype=solution_sourcetype | fields solution_id, solution_summary]
| join type=left vulnerability_id [search index=vulnerability_index sourcetype=vulnerability_sourcetype | fields vulnerability_id, title, severity | rename title as vulnerability_title]
| table asset_id solution_summary vulnerability_title severity- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
idkgirly
Loves-to-Learn
04-04-2023
12:16 PM
I ran the query, but it does not return all the data. I was able to get a complete list of the asset_id, solution_id, and vulnerability_id, however, there are a few that are empty under solution_summary, vulnerability_title, and severity. Am I missing something in the query?
| asset_id | solution_id | vulnerability_id | vulnerability_title | solution_summary | severity |
| 1234 | 456 | 234 | Certificate expired | Obtain new certifcate | Severe |
| 1234 | 678 | 567 | Security Update for Windows | Critical | |
| 1234 | 890 | 893 |
Get Updates on the Splunk Community!
Data Management Digest – December 2025
Welcome to the December edition of Data Management Digest!
As we continue our journey of data innovation, the ...
Index This | What is broken 80% of the time by February?
December 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this ...
Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...
Hello Splunk Community,
We're thrilled to share an exciting update that will help you manage your data more ...
