Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

dbconnect returning data from 2 db's with same field names

Cuyose
Builder
‎08-26-2013 01:50 PM

Splunk doesn't seem to work with the AS operator in SQl, but rather expects you to RENAME after the query. But what do you do if the query returns the same field name in 2 dbs like this? When I try to rename off the "m.first_name" it doesnt work.

| dbquery DATABASE " SELECT m.first_name AS mFirstName,
mb.first_name AS mb_firstname
FROM DATABASE.TABLE1 m,

DATABASE.TABLE2 mb

WHERE m.id = mb.entity_id"

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎08-26-2013 04:52 PM

As some other threads, "AS alias" does not work properly status quo.
I have escaped that you do the following.

ex.
m.first_name+"" AS mFirstName, mb.first_name+"" AS mb_firstname

View solution in original post

Reply
Solved! Jump to solution

rdownie
Communicator
‎08-27-2013 06:02 PM

You can use the Advanced setting when you create your lookup and rename it in the SQL query there. Then it will return as any name you want it to. I had to do this with spaces in column names which Splunk did not know how to handle and it worked great.

0 Karma
Reply
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎08-26-2013 04:52 PM

As some other threads, "AS alias" does not work properly status quo.
I have escaped that you do the following.

ex.
m.first_name+"" AS mFirstName, mb.first_name+"" AS mb_firstname

Reply
Solved! Jump to solution

Cuyose
Builder
‎08-27-2013 06:15 PM

Bam this worked! Thank you!

0 Karma
Reply
Solved! Jump to solution

HiroshiSatoh
Champion
‎08-27-2013 05:57 PM

If I could use TRIM, I want you to try and TRIM

trim(m.first_name) AS mFirstName, trim(mb.first_name) AS mb_firstname

Reply
Solved! Jump to solution

Cuyose
Builder
‎08-27-2013 07:57 AM

The first and last names from both tables have values when just running the query against the SQL db. When adding the suggested (AS) syntax fix to the splunk dbquery the new field names are now displayed in the results from the new search but all the first and last name fields for the renamed table return 0's and not the data from the db.

0 Karma
Reply
Solved! Jump to solution

HiroshiSatoh
Champion
‎08-26-2013 06:12 PM

What data do you missing? Regularity or is likely something?
My environment is MySQL Server 5.5.

0 Karma
Reply
Solved! Jump to solution

Cuyose
Builder
‎08-26-2013 05:38 PM

This returns the columns now, but doesn't return any data for those renamed columns. running in sql works fine though.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...