Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

trigger second search/dbxquery based on the result of the first search

damucka
Builder
‎06-12-2019 01:20 AM

Hello,

I would like to trigger the second search/dbxquery based on the results of the first one. I test it with the simpliest DB query, which should definitely provide the results back:

|where rtetrigger=0
| map maxsearches=1 search="dbxquery query= \"select  * from dummy connection=\"HANA_MLBSO\" \" "

but I am getting nothing back. The rtetrigger is correctly set to 0 for testing and the query itself, when executed as separate query (| dbxquery query="select * from dummy" connection="HANA_MLBSO") returns the result ("X").
Could you advice? Is it because of the wrong escaping of the " perhaps?

Also, the second question would be how would I, despite of the second query, still present the results of the first query to the user skipping the result of the second dbxquery?
The reason for that is that the second dbxquery should be kind of alert action - triggering of the runtime dump on the database depending on the rtetrigger parameter. The dbxquery/dump triggering should get executed, but the results of the first query/search should still be presented.

Kind Regards,
Kamil

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎06-12-2019 12:10 PM

I believe ... if I can get my head around this request, that it is indeed possibly an escaping problem.

Focusing only on the part that matters...

search="dbxquery query= \"select * from dummy connection=\"HANA_MLBSO\" \" "
Would mean the search is
"select * from dummy connection="HANA_MLBSO""
And it should be instead
"select * from dummy" connection="HANA_MLBSO"
So maybe ...
search="dbxquery query= \"select * from dummy\" connection=\"HANA_MLBSO\" \" " ?

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎06-12-2019 12:10 PM

I believe ... if I can get my head around this request, that it is indeed possibly an escaping problem.

Focusing only on the part that matters...

search="dbxquery query= \"select * from dummy connection=\"HANA_MLBSO\" \" "
Would mean the search is
"select * from dummy connection="HANA_MLBSO""
And it should be instead
"select * from dummy" connection="HANA_MLBSO"
So maybe ...
search="dbxquery query= \"select * from dummy\" connection=\"HANA_MLBSO\" \" " ?

0 Karma
Reply
Solved! Jump to solution

damucka
Builder
‎06-19-2019 05:10 AM

Hello @rich7177

Finally it turned out it was indeed an issue with the formulating the query in a proper way.
Thank you for your hint.

Kind Regards,
Kamil

0 Karma
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎06-19-2019 06:24 AM

Any chance you could provide the actual code for a working query? This will help others who find this answer have a better chance of solving their own problems.

Be sure to use the code button to paste it in so it keeps the formatting right.

Happy Splunking,
Rich

0 Karma
Reply
Solved! Jump to solution

damucka
Builder
‎06-19-2019 06:36 AM

Sure, the currently working code is:

|rename comment AS " -- rtedump triggering --"
|eval rtetrigger=case(ALERT_TYPE="MAIN" AND trigger=0,"1",1<2,"0")
|eval host_to_trigger="ls5947"

|where rtetrigger=0
 |map maxsearches=1 search="dbxquery query=\"call SYS.MANAGEMENT_CONSOLE_PROC('runtimedump dump','$host_to_trigger$:30240',?)\" connection=\"HANA_MLBSO_BHT\" "

|rename comment AS " ----------"

S the query is different from the original, because I thought I would start from the simplest at the beginning.

Regards,
Kamil

0 Karma
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎06-19-2019 07:39 AM

Beautiful, future searchers thank you for that syntax example!

0 Karma
Reply
Solved! Jump to solution

damucka
Builder
‎06-12-2019 11:50 PM

It does not return any result either. And also I would say we have one escape too much at the end, at least at the first glance. However when I get rid of it and execute:

search="dbxquery query= \"select * from dummy\" connection=\"HANA_MLBSO\" "

then I get the error:
[map]: At least a query or stored procedure parameter is required

Interesting. Any ideas?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...