Splunk Search

Rowcount comparisons on large numbers of database tables

mcomfurf
Path Finder

I'm working with a customer to run rowcount comparisons between two tables that are replicating data in one direction, from A>B, and alert if the delta between the two is more than x%.

If the results of select count * from DB_A_Table_1 are more than +/- 5% different from the results of select count * from DB_B_Table_1, then we trigger an alert. The POC was against a single pair of tables, and worked so well the customer now wants about 170 pairs of tables compared. I have to imagine there's a more elegant way to do this than to set up 340 DBConnect queries to index and then 170 alerts, though I do want to index rowcount results each time so we can see trends when troubleshooting.

If someone has done this in the past, your guidance is appreciated. If no one pipes up, I will post the solution when I arrive at one, hopefully only slightly balder and greyer then I am at the time of this writing.

Tags (2)

woodcock
Esteemed Legend

I vaguely recall (but could not confirm after searching for a bit) that when you first connect to a DB, before you give any dbquery commands, Splunk receives a table summary that includes rowcount and a few other things. If this is true, you can just do connections and no queries and save a bunch of time/effort.

0 Karma

ppablo
Community Manager
Community Manager

Hi @mcomfurf

It'll be helpful for other users if you could provide more details in your post. What version of Splunk are you using? What version of DB Connect? Do you have an expected output/format? What have you tried so far that works or doesn't work? You should always provide as much detail as possible to save people time from asking you all these questions to gather information.

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>