Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to pass input variable to dbxquery

manunairadavakk
Path Finder
‎08-22-2019 06:56 PM

Hi Experts,

I am struggling to pass inputs to my dbxquery.
My intention is to display all EMPID and Employer name by passing EMPID as the parameter to my dbxquery.
QUERY:
splunk_server=ass index="ass_main" host=*pr
| rex field=_raw "(?EMP[0-9]{12})"
| dedup EMPID
| fields EMPID
| map search="| dbxquery query=\"select \"Employer Name\" PR
FROM
BIA_BA_EUL.\"View Employee Helpdesk\" where \"Employee Number\" in $EMPID$\" connection=\"EMP-PR\"" | table EMPID,PR

ERROR:
Error in 'map' command: Unable to find saved search 'search='.

Request for any inputs please

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

thomasroulet
Path Finder
‎08-26-2019 02:58 AM

Hello,

map command is limited by default for 10 searches.
after map command, the results (in your case) are the results of the SQL command,
so if you want to obtain EMPID and PR, you have to select this fields in your SQL command

if EMPID is extracted through rex it would be like this :

 | rex field=_raw "(?<EMPID>[0-9]{12})"

You have to check the regexp.

Finally, your request may be look like this (for netezza)

 splunk_server=ass index="ass_main" host=*pr
 | rex field=_raw "(?<EMPID>[0-9]{12})"
 | dedup EMPID
 | fields EMPID
 | stats values(EMPID) as EMPID
 | eval EMPID = "'".mvjoin(EMPID, "','")."'"
 | map search="| dbxquery query=\"select \\\"Employer Name\\\" PR, \\\"Employee Number\\\" EMPID FROM BIA_BA_EUL.\\\"View Employee Helpdesk\\\" WHERE \\\"Employee Number\\\" in ($EMPID$)\" connection=\"EMP-PR\"" 
 | fields EMPID,PR

edit :
For some databases 

splunk_server=ass index="ass_main" host=*pr
 | rex field=_raw "(?<EMPID>[0-9]{12})"
 | dedup EMPID
 | fields EMPID
 | stats values(EMPID) as EMPID
 | eval EMPID = "'".mvjoin(EMPID, "','")."'"
 | map search="| dbxquery query=\"select `Employer Name` PR, `Employee Number` EMPID FROM BIA_BA_EUL.`View Employee Helpdesk` WHERE `Employee Number` in ($EMPID$)\" connection=\"EMP-PR\"" 
 | fields EMPID,PR

View solution in original post

Reply
Solved! Jump to solution

manunairadavakk
Path Finder
‎09-04-2019 04:56 PM

@thomasroulet

Sorry, the table names have been designed by the DBA and cannot be changed. Not sure why the behaviour is different while accessing through map and ordinary dbxquery. In map the double quotes is not being recognised.
This will not work because netezza does not recognise backticks, it recognises only double quotes.But somehow in map search it is not being recognised while it is being recognised in ordinary dbxquery.
Getting error as below:

[map]: org.netezza.error.NzSQLException: ERROR: 'select Employee Number FROM BIA_BA_EUL.View Employee Helpdesk WHERE Employee Number IN ('EMP1','EMP2') ANALYZE' error ^ found "`" (at char 24) expecting a keyword

0 Karma
Reply
Solved! Jump to solution

thomasroulet
Path Finder
‎09-04-2019 11:39 PM

OK one more try escape the backslashes in the query :

splunk_server=ass index="ass_main" host=*pr
       | rex field=_raw "(?<EMPID>[0-9]{12})"
       | dedup EMPID
       | fields EMPID
       | stats values(EMPID) as EMPID
       | eval EMPID = "'".mvjoin(EMPID, "','")."'"
       | map search="| dbxquery query=\"select \\\"Employer Name\\\" PR, \\\"Employee Number\\\" EMPID FROM BIA_BA_EUL.\\\"View Employee Helpdesk\\\" WHERE \\\"Employee Number\\\" in ($EMPID$)\" connection=\"EMP-PR\"" 
       | fields EMPID,PR
0 Karma
Reply
Solved! Jump to solution

manunairadavakk
Path Finder
‎09-05-2019 04:40 AM

@thomasroulet

U r a real gem, this worked like a charm. Thanks a lot for this
U were a real helping hand.

0 Karma
Reply
Solved! Jump to solution

thomasroulet
Path Finder
‎09-05-2019 04:58 AM

glad to have helped.
Don't forget to vote the answer. I updated it

0 Karma
Reply
Solved! Jump to solution

manunairadavakk
Path Finder
‎09-01-2019 09:45 PM

@jschogel

Thanks for the response.
I tried the above query.

Values for EMPID was 'EMP1','EMP2','EMP3'
but however query_text is null

0 Karma
Reply
Solved! Jump to solution

manunairadavakk
Path Finder
‎08-25-2019 05:12 PM

Hi Experts,
Request for some help/pointers for the above issue.
Been struggling for a solution

0 Karma
Reply
Solved! Jump to solution

nyc_jason
Splunk Employee
Splunk Employee
‎08-25-2019 10:24 PM

Hello, in your |rex command, you are creating a field called EMP. Did you mean to make that variable called EMPID?

0 Karma
Reply
Solved! Jump to solution

manunairadavakk
Path Finder
‎08-25-2019 11:26 PM

@jschogel

Not sure i am not able to write the rex command properly in the above problem statement
My variable is EMPID extracted through rex.
I have to pass the field EMPID as an input to the dbxquery and fetch employers name of only those EMPID obtained from first search

0 Karma
Reply
Solved! Jump to solution

manunairadavakk
Path Finder
‎08-22-2019 07:18 PM

The error was removed when i changed my query to the below one. I am getting the expected number of events, but i need EMPID,PR to be displayed in a table

splunk_server=ass index="ass_main" host=*pr
| rex field=_raw "(?EMP[0-9]{12})"
| dedup EMPID
| fields EMPID
| map search=" | dbxquery query=\"select \"Employer Name\" PR
FROM
BIA_BA_EUL.\"View Employee Helpdesk\" where \"Employee Number\"='$EMPID$'\" connection=\"EMP-PR\"" | fields EMPID,PR

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...