Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Subsearch NOT with dbxquery

teknet9
Path Finder
‎08-25-2016 02:46 AM

Hello Team,

I do have dbquery from mysql:
|dbxquery query="SELECT mac FROM pc.pc" connection=MYSQL shortnames=true | fields - _*

This one displayes all the mac addresses from mysql.

I also have:
host="10.62.140.64" MACAddress
This one is displaying syslogs with all MACAddress values like MACAddress=00:01:02:03:04:05

I wanted to combine both and have a search which displays only syslogs with MACAddresses which are not in mysql database.
I have tried:
host="10.62.140.64" MACAddress NOT [dbxquery query="SELECT mac FROM pc.pc" connection=MYSQL shortnames=true | fields - _*]

But still all MACAddresses are being displayed. It looks like i can not correlate MACAddress with mac from subsearch. Could you help ?

Thanks,
Michal

0 Karma
Reply

renjith_nair
Legend
‎08-26-2016 08:01 AM

Try this

host="10.62.140.64" MACAddress NOT [|dbxquery query="SELECT mac as MACAddress  FROM pc.pc" connection=MYSQL shortnames=true | fields MACAddress ]
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

teknet9
Path Finder
‎08-27-2016 11:29 PM

Hi Renjith.Nair

I can not since then mysql column name is different, so my real query has to remane this field:
host="10.62.140.64" MACAddress NOT [dbxquery query="SELECT mac FROM pc.pc" connection=MYSQL shortnames=true | fields mac | rename mac as MACAddress ]

But what i find interesting is that it looks like dbxquery is searching only for 100 000 entries ? (while i have 171K) ? But when i try to:
add "search MACAddress=00:50:B6:11:EA:CE" to my dbxquery that entry is being returned correctly.

Let me paste dbquery results:
alt text

We can see that mac, while the combined search still returns that record while it should not:
alt text

So maybe it is the issue with max 100k records ? Can i change it somehow ?

Thanks,
Michal

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

renjith_nair
Legend
‎08-28-2016 07:00 PM

I thought you could rename in the select itself ,like mac as MACAddress in SQL. Anyway if you are able to change it somehow it's fine. Subquery limit is 10k and you can change it in http://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf (be careful).
Also try adding format at the end of your subquery ie dbxquery query="SELECT mac FROM pc.pc" connection=MYSQL shortnames=true | fields mac | rename mac as MACAddress|format

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...