Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk DB Connect 1: How to join SQL queries from different servers?

stevenahl
New Member
‎05-27-2015 10:13 AM 
    | dbquery Server1 "SELECT value1, value2 FROM db1.table"
    | join type=left value2 [| dbquery Server2 "SELECT value3 FROM db2.table"]
    | table value1, value2, value3

I have two tables, in two databases on two different servers that I need to join. They have a single common value (we'll say value2 here). When running the actual code, "value3" is the same for every row. I'm not sure where I have this wrong, but I don't understand how the splunk join works between two servers like this.

Thoughts?

0 Karma
Reply

davebrooking
Contributor
‎05-27-2015 02:36 PM

What database and version are you trying to query, is it SQL Server, MySQL or something else. If you were to remove Splunk from the equation and reduce it to a SQL conundrum, Using SQL Server if Server2 is defined as a linked server of Server1, the query could be satisfied with something like

SELECT a.col1, a.col2, b.col3
FROM   Server1.db1.owner.table a
LEFT OUTER JOIN Server2.db2.owner.table b
ON       a.col2= b.col2

which uses a 4 part table identifier of the form MyServer.MyDatabase.TableOwner.Mytable

Can you do something similar and use the database tools to manage the join and remove the Splunk join command?

0 Karma
Reply

jcoates_splunk
Splunk Employee
Splunk Employee
‎05-30-2015 02:42 PM

Agreed -- either do the work in SQL with optimized joins or index the data and do it in SPL, because this hybrid approach is the worst of both worlds.

0 Karma
Reply

aweitzman
Motivator
‎05-27-2015 10:21 AM

It doesn't appear that you're returning value2 in your query from Server2, so that's pretty much guaranteed not to work. You need to have that field in the table you're joining with.

0 Karma
Reply

stevenahl
New Member
‎05-27-2015 10:42 AM 
 | dbquery Server1 "SELECT value1, value2 FROM db1.table"
 | join type=left value2 [| dbquery Server2 "SELECT value2, value3 FROM db2.table"]
 | table value1, value2, value3

Still does the same thing...

0 Karma
Reply

jcoates_splunk
Splunk Employee
Splunk Employee
‎05-30-2015 02:41 PM

put dollar signs around the values in the second dbquery

0 Karma
Reply

aweitzman
Motivator
‎05-27-2015 11:18 AM

Does this work?

  | dbquery Server1 "SELECT value1, value2 FROM db1.table"
  | join type=left value2 [search dbquery Server2 "SELECT value2, value3 FROM db2.table"]
  | table value1, value2, value3

(Replaced the pipe with search in the subsearch)

0 Karma
Reply

stevenahl
New Member
‎05-27-2015 11:54 AM

Still no joy.

0 Karma
Reply
Get Updates on the Splunk Community!

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

💌Keep the new year’s momentum going with our February lineup of Community Office Hours, Tech Talks, ...