Splunk Search

Passing a field from a database query to another search DB Connect

stephenho
Path Finder

Hi,

I was playing around with DB connect and it is quite cool. However, when I was trying to make a dashboard out of some tables, I couldn't work out how to pass the values out of the original query.

In the simplest example : -
| dbquery orcl limit=1000 "select count(*) as myValue from tableA" |table myValue

appears to give me a blank value. Although if I leave out everything after the first pipe, it does work.

I also plan to use SideView utils to build some dashboards and will I be able to pass values from the query to other modules?

Thanks in advance.

Cheers,

Steve

Tags (1)
0 Karma
1 Solution

ziegfried
Influencer

In this particular case you have the problem that Oracle typically returns column names in uppercase. dbquery simply emits the results it gets from the database. So in your example you could fix it by using the column name in upper case in the table command (which is case sensitive).

| dbquery orcl limit=1000 "select count(*) as myValue from tableA" |table MYVALUE

View solution in original post

0 Karma

ziegfried
Influencer

In this particular case you have the problem that Oracle typically returns column names in uppercase. dbquery simply emits the results it gets from the database. So in your example you could fix it by using the column name in upper case in the table command (which is case sensitive).

| dbquery orcl limit=1000 "select count(*) as myValue from tableA" |table MYVALUE
0 Karma

stephenho
Path Finder

Thanks Ziegfried. Appreciate it!

0 Karma

stephenho
Path Finder

Here's an example using the HR.employees table. I can't seem to put the value of count(*) into a value to move it into another part of a search.

C:\Program Files\Splunk\bin>splunk search "|dbquery orcl limit=1000 \"select count(*) as myEmployees from hr.employees\""
MYEMPLOYEES
-----------
        107

C:\Program Files\Splunk\bin>splunk search "|dbquery orcl limit=1000 \"select count(*) as myEmployees from hr.employees\" |table myEmployees"
INFO: No matching fields exist

Does that help?

0 Karma

ziegfried
Influencer

Please explain in more detail what you want to achieve by "passing values out of the original query".

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...