Splunk Search
Highlighted

trigger second search/dbxquery based on the result of the first search

Contributor

Hello,

I would like to trigger the second search/dbxquery based on the results of the first one. I test it with the simpliest DB query, which should definitely provide the results back:

|where rtetrigger=0
| map maxsearches=1 search="dbxquery query= \"select  * from dummy connection=\"HANA_MLBSO\" \" "

but I am getting nothing back. The rtetrigger is correctly set to 0 for testing and the query itself, when executed as separate query (| dbxquery query="select * from dummy" connection="HANA_MLBSO") returns the result ("X").
Could you advice? Is it because of the wrong escaping of the " perhaps?

Also, the second question would be how would I, despite of the second query, still present the results of the first query to the user skipping the result of the second dbxquery?
The reason for that is that the second dbxquery should be kind of alert action - triggering of the runtime dump on the database depending on the rtetrigger parameter. The dbxquery/dump triggering should get executed, but the results of the first query/search should still be presented.

Kind Regards,
Kamil

Tags (2)
0 Karma
Highlighted

Re: trigger second search/dbxquery based on the result of the first search

SplunkTrust
SplunkTrust

I believe ... if I can get my head around this request, that it is indeed possibly an escaping problem.

Focusing only on the part that matters...

search="dbxquery query= \"select * from dummy connection=\"HANA_MLBSO\" \" "
Would mean the search is
"select * from dummy connection="HANA_MLBSO""
And it should be instead
"select * from dummy" connection="HANA_MLBSO"
So maybe ...
search="dbxquery query= \"select * from dummy\" connection=\"HANA_MLBSO\" \" " ?

View solution in original post

0 Karma
Highlighted

Re: trigger second search/dbxquery based on the result of the first search

Contributor

It does not return any result either. And also I would say we have one escape too much at the end, at least at the first glance. However when I get rid of it and execute:

search="dbxquery query= \"select * from dummy\" connection=\"HANA_MLBSO\" "

then I get the error:
[map]: At least a query or stored procedure parameter is required

Interesting. Any ideas?

0 Karma
Highlighted

Re: trigger second search/dbxquery based on the result of the first search

Contributor

Hello @rich7177

Finally it turned out it was indeed an issue with the formulating the query in a proper way.
Thank you for your hint.

Kind Regards,
Kamil

0 Karma
Highlighted

Re: trigger second search/dbxquery based on the result of the first search

SplunkTrust
SplunkTrust

Any chance you could provide the actual code for a working query? This will help others who find this answer have a better chance of solving their own problems.

Be sure to use the code button to paste it in so it keeps the formatting right.

Happy Splunking,
Rich

0 Karma
Highlighted

Re: trigger second search/dbxquery based on the result of the first search

Contributor

Sure, the currently working code is:

|rename comment AS " -- rtedump triggering --"
|eval rtetrigger=case(ALERT_TYPE="MAIN" AND trigger=0,"1",1<2,"0")
|eval host_to_trigger="ls5947"

|where rtetrigger=0
 |map maxsearches=1 search="dbxquery query=\"call SYS.MANAGEMENT_CONSOLE_PROC('runtimedump dump','$host_to_trigger$:30240',?)\" connection=\"HANA_MLBSO_BHT\" "

|rename comment AS " ----------"

S the query is different from the original, because I thought I would start from the simplest at the beginning.

Regards,
Kamil

0 Karma
Highlighted

Re: trigger second search/dbxquery based on the result of the first search

SplunkTrust
SplunkTrust

Beautiful, future searchers thank you for that syntax example!

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.