joining result of a query with another db query

anoopambli · ‎12-10-2014

I have two queries,

2) |dbquery OPSCONFIGAPP limit=1000 "select hostname, tier_level_str,classification from opsconfig.ac_servers_for_fsc"

The first query gives me a result of server names and last reboot time like below,
scssum1 1357
lbos655 1187
adal480 1186

The second query is basically asset info of servers and gives result as below,

servername tier level Classification

lbos655 Linux Server Support - Gold Production

servername field is common in both the searches, i want to merge result of both the searches and get an end result like below,

lbos655 1187 Linux Server Support - Gold Production

How can i achieve this?

musskopf · ‎12-10-2014

Hello anoopambli,

You'll need to use a DB Lookup, which works the same way as a file lookup, the difference is that it uses the SQL a source of data. Have a look on the DB Connect documentation how to do that: http://docs.splunk.com/Documentation/DBX/latest/DeployDBX/Setupadatabaselookuptable

I believe you'll be able to do everything using the GUI, no need to edit files by hand. Another thing to remember is that lookups are case-sensitive.

Hope I pointed you to the right direction.

Cheers