Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Unable to run query '| dbxquery query ?

mateusztumi84
Observer
‎02-16-2023 04:36 AM

Hi,

I'm quite fresh in splunk and need your help. Trying to combine spl with sql.

tag 25 is event id same as  sql ele.batch_event_id

I suspect ele.batch_event_id = $25$ is wrong.

Any idea please 🙂

Error is :

Unable to run query '| dbxquery query= "SELECT MIN (ele.process_time) as MIN_PROCESS_time ,MAX (ele.process_time) as MAX_PROCESS_time FROM estar.estar_loopback_events ele, estar.engine_configuration ec WHERE ele.engine_instance = ec.engine_instance AND ele.batch_event_id = $25$ AND process_time BETWEEN TO_DATE('20230215:00:00','YYYYMMDD hh24:mi:ss') and TO_DATE('20230216 12:59:59','YYYYMMDD hh24:mi:ss') " connection='stardb' '.

 

Search:

index=star_linux sourcetype=engine_processed_events 2961= BBHCC-S2PBATCHPOS-BO OR BBHCC-S2PBATCHPOS-B2 OR BBHCC-S2PBATCHPOS-PO OR BBHCC-SOD-IF-Weekday-1 AND 55:GEN_STAR_PACE
|table 4896,25,55,2961

| map search="| dbxquery query= \"SELECT MIN (ele.process_time) as MIN_PROCESS_time ,MAX (ele.process_time) as MAX_PROCESS_time
FROM
estar.estar_loopback_events ele,
estar.engine_configuration ec
WHERE ele.engine_instance = ec.engine_instance
AND ele.batch_event_id = $25$
AND process_time BETWEEN TO_DATE('20230215:00:00','YYYYMMDD hh24:mi:ss')
and TO_DATE('20230216 12:59:59','YYYYMMDD hh24:mi:ss') \" connection='stardb' "
|table 4896, 25,MIN_PROCESS_time, MAX_PROCESS_time

Labels (1)
Labels
0 Karma
Reply

mateusztumi84
Observer
‎02-20-2023 01:15 AM

ele.engine_instance is alfanumeric field like 6JPK6699UV05FV51 eg.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-16-2023 05:25 AM

The construct $<something>$ is valid only with the map command or in a dashboard.  In every case, however, <something> must be a token name or field name rather than a number.

If ele.batch_event_id is a number then use ele.batch_event_id=25; otherwise, use ele.batch_event_id = "25"

---
If this reply helps you, Karma would be appreciated.
Reply

mateusztumi84
Observer
‎02-20-2023 01:16 AM

ele.engine_instance is alfanumeric field like 6JPK6699UV05FV51 eg.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...