Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Passing a field from a database query to another search DB Connect

stephenho
Path Finder
‎03-05-2013 02:14 AM

Hi,

I was playing around with DB connect and it is quite cool. However, when I was trying to make a dashboard out of some tables, I couldn't work out how to pass the values out of the original query.

In the simplest example : -
| dbquery orcl limit=1000 "select count(*) as myValue from tableA" |table myValue

appears to give me a blank value. Although if I leave out everything after the first pipe, it does work.

I also plan to use SideView utils to build some dashboards and will I be able to pass values from the query to other modules?

Thanks in advance.

Cheers,

Steve

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ziegfried
Influencer
‎03-05-2013 12:34 PM

In this particular case you have the problem that Oracle typically returns column names in uppercase. dbquery simply emits the results it gets from the database. So in your example you could fix it by using the column name in upper case in the table command (which is case sensitive).

| dbquery orcl limit=1000 "select count(*) as myValue from tableA" |table MYVALUE

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ziegfried
Influencer
‎03-05-2013 12:34 PM

In this particular case you have the problem that Oracle typically returns column names in uppercase. dbquery simply emits the results it gets from the database. So in your example you could fix it by using the column name in upper case in the table command (which is case sensitive).

| dbquery orcl limit=1000 "select count(*) as myValue from tableA" |table MYVALUE
0 Karma
Reply
Solved! Jump to solution

stephenho
Path Finder
‎03-05-2013 12:51 PM

Thanks Ziegfried. Appreciate it!

0 Karma
Reply
Solved! Jump to solution

stephenho
Path Finder
‎03-05-2013 12:30 PM

Here's an example using the HR.employees table. I can't seem to put the value of count(*) into a value to move it into another part of a search. 

C:\Program Files\Splunk\bin>splunk search "|dbquery orcl limit=1000 \"select count(*) as myEmployees from hr.employees\""
MYEMPLOYEES
-----------
        107

C:\Program Files\Splunk\bin>splunk search "|dbquery orcl limit=1000 \"select count(*) as myEmployees from hr.employees\" |table myEmployees"
INFO: No matching fields exist

Does that help?

0 Karma
Reply
Solved! Jump to solution

ziegfried
Influencer
‎03-05-2013 05:29 AM

Please explain in more detail what you want to achieve by "passing values out of the original query".

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...