Splunk Search

Splunk DB Connect: Why am I unable to perform a lookup to enhance my dbquery results?

dstaulcu
Builder

I'd like to be able to enhance DB Connect results with details in a lookup table file.

For some reason, the lookup is not working. I know the host field exists both in my dbquery results and my lookup table file. Here is the syntax I am using:

| dbquery "myconnection" "mysqlquery" 
| fields host interestingvalue 
| lookup hostdetails.csv host OUTPUT interestinghostdetail

Anyone have any ideas why this isn't working / wouldn't work?

Inputs appreciated!

0 Karma

ckurtz
Path Finder

Make sure that the lookup of hostdetails.csv is available inside the DBXv1 app context.

0 Karma

woodcock
Esteemed Legend

Try without fields.

0 Karma

javiergn
SplunkTrust
SplunkTrust

I would do it differently and using subsearches and inputlookup:

| inputlookup hostdetails
| search [| dbquery "myconnection" "mysqlquery" | table host interestingvalue]

javiergn
SplunkTrust
SplunkTrust

Keep in mind you could have the dbquery first and then filter based on your inputlookup

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...