Splunk Search

trigger second search/dbxquery based on the result of the first search

damucka
Builder

Hello,

I would like to trigger the second search/dbxquery based on the results of the first one. I test it with the simpliest DB query, which should definitely provide the results back:

|where rtetrigger=0
| map maxsearches=1 search="dbxquery query= \"select  * from dummy connection=\"HANA_MLBSO\" \" "

but I am getting nothing back. The rtetrigger is correctly set to 0 for testing and the query itself, when executed as separate query (| dbxquery query="select * from dummy" connection="HANA_MLBSO") returns the result ("X").
Could you advice? Is it because of the wrong escaping of the " perhaps?

Also, the second question would be how would I, despite of the second query, still present the results of the first query to the user skipping the result of the second dbxquery?
The reason for that is that the second dbxquery should be kind of alert action - triggering of the runtime dump on the database depending on the rtetrigger parameter. The dbxquery/dump triggering should get executed, but the results of the first query/search should still be presented.

Kind Regards,
Kamil

Tags (2)
0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

I believe ... if I can get my head around this request, that it is indeed possibly an escaping problem.

Focusing only on the part that matters...

search="dbxquery query= \"select * from dummy connection=\"HANA_MLBSO\" \" "
Would mean the search is
"select * from dummy connection="HANA_MLBSO""
And it should be instead
"select * from dummy" connection="HANA_MLBSO"
So maybe ...
search="dbxquery query= \"select * from dummy\" connection=\"HANA_MLBSO\" \" " ?

View solution in original post

0 Karma

Richfez
SplunkTrust
SplunkTrust

I believe ... if I can get my head around this request, that it is indeed possibly an escaping problem.

Focusing only on the part that matters...

search="dbxquery query= \"select * from dummy connection=\"HANA_MLBSO\" \" "
Would mean the search is
"select * from dummy connection="HANA_MLBSO""
And it should be instead
"select * from dummy" connection="HANA_MLBSO"
So maybe ...
search="dbxquery query= \"select * from dummy\" connection=\"HANA_MLBSO\" \" " ?

0 Karma

damucka
Builder

Hello @rich7177

Finally it turned out it was indeed an issue with the formulating the query in a proper way.
Thank you for your hint.

Kind Regards,
Kamil

0 Karma

Richfez
SplunkTrust
SplunkTrust

Any chance you could provide the actual code for a working query? This will help others who find this answer have a better chance of solving their own problems.

Be sure to use the code button to paste it in so it keeps the formatting right.

Happy Splunking,
Rich

0 Karma

damucka
Builder

Sure, the currently working code is:

|rename comment AS " -- rtedump triggering --"
|eval rtetrigger=case(ALERT_TYPE="MAIN" AND trigger=0,"1",1<2,"0")
|eval host_to_trigger="ls5947"

|where rtetrigger=0
 |map maxsearches=1 search="dbxquery query=\"call SYS.MANAGEMENT_CONSOLE_PROC('runtimedump dump','$host_to_trigger$:30240',?)\" connection=\"HANA_MLBSO_BHT\" "

|rename comment AS " ----------"

S the query is different from the original, because I thought I would start from the simplest at the beginning.

Regards,
Kamil

0 Karma

Richfez
SplunkTrust
SplunkTrust

Beautiful, future searchers thank you for that syntax example!

0 Karma

damucka
Builder

It does not return any result either. And also I would say we have one escape too much at the end, at least at the first glance. However when I get rid of it and execute:

search="dbxquery query= \"select * from dummy\" connection=\"HANA_MLBSO\" "

then I get the error:
[map]: At least a query or stored procedure parameter is required

Interesting. Any ideas?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...