Solved: Re: Splunk DBConnect Add Databse Inputs Unable to ... - Page 4

harshavrath · ‎04-02-2014

Hi,

I'm trying to get the DB tables as input into Splunk by using Add DB Inputs in Splunk Manager,
I'm able to index the Data from my table into Splunk when i don't mention the query(the Splunk creates its own query)

But when i mention the query such as this
SELECT * FROM TABLE_NAME {{WHERE ROWNUM <= 30}} I'm unable to index the data into Splunk.

This is very important for me as my tables are very large in size so i can't index them completely i need a Where Condition for this

Any Help is Appreciated,

Thanks.

aelliott · ‎04-02-2014

I think you want something like
SELECT * FROM TABLE_NAME WHERE ROWNUM <= 30 {{AND $rising_column$ > ?}}

Or if you are not doing "Tail"
SELECT * FROM TABLE_NAME WHERE ROWNUM <= 30

The stuff in the brackets will not be run the first time, so putting {{ where rownum <= 30 }} will exclude this from the first run.

View solution in original post

aelliott · ‎04-02-2014

The stuff in the brackets will not be run the first time the query is run, so if you have curly braces around that, it will grab all your data. the curly braces are meant to hold the {{ $rising_column$ > ?}} pattern

harshavrath · ‎04-02-2014

I meant the query to be used for indexing shouldn't we use curly braces for where condition.

harshavrath · ‎04-02-2014

If i use dbquery Epoch time is returned i was able to convert it using fieldformat-strftime.

aelliott · ‎04-02-2014

SELECT * FROM TABLE_NAME WHERE DateField <= '01/01/2014 00:00:00' and DateField >= '03/31/2014 23:59:59'

harshavrath · ‎04-02-2014

what I'm i supposed to include in a query if i want to index 1000 rows in a specified time range say Jan 14 to Mar 14.

harshavrath · ‎04-02-2014

the errors are in the Query that we specify when we go indexing the DB data into Splunk,IF i don't provide the Query the complete table will be indexed into Splunk.

harshavrath · ‎04-02-2014

2014-04-02 05:21:09.047 dbx6822:ERROR:TailDatabaseMonitor - Configuration Error: [DB_NAME] Invalid query "SELECT * FROM TABLE_NAME {{WHERE ROWNUM <= 10}}" without proper {{ ... $rising_column$ > ?}} pattern!

harshavrath · ‎04-02-2014

2014-04-02 07:44:01.283 dbx2674:ERROR:TailDatabaseMonitor - Configuration Error: [DB_NAME] Invalid query "SELECT * FROM TABLE_NAME {{AND UPDATED_DT > to_date (2001-06-01,'YYYY-MM-DD"T"HH:MI:SS')}}" without proper {{ ... $rising_column$ > ?}} pattern!

richgalloway · ‎04-02-2014

What do you mean, exactly, when you say you're unable to index the data? Do you get an error message? Is there anything in dbx.log?

---
If this reply helps you, Karma would be appreciated.

Splunk DBConnect Add Databse Inputs Unable to index when we specify the Query

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation