Splunk Search

How to integrate dbxquery query with Splunk search

aditsss
Builder

 

 

Labels (1)
0 Karma

aditsss
Builder
 
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Patience, Grasshopper.  You posted on a Sunday when most users are living their lives rather than hanging out here.  Even on work days, it may take a while to get an answer, especially when the question doesn't describe the desired result.

Have you tried using append to combine the two queries?

|dbxquery query="SELECT \"id\", \"name\", \"chain\" FROM flows;" connection="Postgres"
| append [ search index=xyz sourcetype=xy source="logs" groups (CLIENT_Id ="*") |rex field=Request_URL "\/(?<Group>[^\/]+)$"
  | convert timeformat="%Y-%m-%d" ctime(_time) AS Date
  | stats count by Date CLIENT_Id GroupRequest_URL
  | sort - CLIENT_Id
  | rename Group as id ]
| stats values(*) as * by id

 

---
If this reply helps you, an upvote would be appreciated.
0 Karma

aditsss
Builder
 
0 Karma

richgalloway
SplunkTrust
SplunkTrust
Remove the final stats command and check the results to see if the DB fields are present.
---
If this reply helps you, an upvote would be appreciated.
0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!