Hello,
I would like to trigger the second search/dbxquery based on the results of the first one. I test it with the simpliest DB query, which should definitely provide the results back:
|where rtetrigger=0
| map maxsearches=1 search="dbxquery query= \"select * from dummy connection=\"HANA_MLBSO\" \" "
but I am getting nothing back. The rtetrigger is correctly set to 0 for testing and the query itself, when executed as separate query (| dbxquery query="select * from dummy" connection="HANA_MLBSO") returns the result ("X").
Could you advice? Is it because of the wrong escaping of the " perhaps?
Also, the second question would be how would I, despite of the second query, still present the results of the first query to the user skipping the result of the second dbxquery?
The reason for that is that the second dbxquery should be kind of alert action - triggering of the runtime dump on the database depending on the rtetrigger parameter. The dbxquery/dump triggering should get executed, but the results of the first query/search should still be presented.
Kind Regards,
Kamil
I believe ... if I can get my head around this request, that it is indeed possibly an escaping problem.
Focusing only on the part that matters...
search="dbxquery query= \"select * from dummy connection=\"HANA_MLBSO\" \" "
Would mean the search is
"select * from dummy connection="HANA_MLBSO""
And it should be instead
"select * from dummy" connection="HANA_MLBSO"
So maybe ...
search="dbxquery query= \"select * from dummy\" connection=\"HANA_MLBSO\" \" "
?
I believe ... if I can get my head around this request, that it is indeed possibly an escaping problem.
Focusing only on the part that matters...
search="dbxquery query= \"select * from dummy connection=\"HANA_MLBSO\" \" "
Would mean the search is
"select * from dummy connection="HANA_MLBSO""
And it should be instead
"select * from dummy" connection="HANA_MLBSO"
So maybe ...
search="dbxquery query= \"select * from dummy\" connection=\"HANA_MLBSO\" \" "
?
Hello @rich7177
Finally it turned out it was indeed an issue with the formulating the query in a proper way.
Thank you for your hint.
Kind Regards,
Kamil
Any chance you could provide the actual code for a working query? This will help others who find this answer have a better chance of solving their own problems.
Be sure to use the code button to paste it in so it keeps the formatting right.
Happy Splunking,
Rich
Sure, the currently working code is:
|rename comment AS " -- rtedump triggering --"
|eval rtetrigger=case(ALERT_TYPE="MAIN" AND trigger=0,"1",1<2,"0")
|eval host_to_trigger="ls5947"
|where rtetrigger=0
|map maxsearches=1 search="dbxquery query=\"call SYS.MANAGEMENT_CONSOLE_PROC('runtimedump dump','$host_to_trigger$:30240',?)\" connection=\"HANA_MLBSO_BHT\" "
|rename comment AS " ----------"
S the query is different from the original, because I thought I would start from the simplest at the beginning.
Regards,
Kamil
Beautiful, future searchers thank you for that syntax example!
It does not return any result either. And also I would say we have one escape too much at the end, at least at the first glance. However when I get rid of it and execute:
search="dbxquery query= \"select * from dummy\" connection=\"HANA_MLBSO\" "
then I get the error:
[map]: At least a query or stored procedure parameter is required
Interesting. Any ideas?