I have successfully installed and configured DBConnect 3.11 on a search-head and I'm able to query and output data to/from an AWS RDS Aurora database.
My problem happens when I try to run a dbxlookup against my data search results.
From: /opt/splunk/var/log/splunk/splunk_app_db_connect_audit_command.2017-10-15.log
2017-10-15 20:01:47.139 2886@splunk-sh1 [main] INFO com.splunk.dbx.connector.logger.AuditLogger - operation= connection_name= stanza_name= state=success sql='SELECT "ip", "dns" FROM (SELECT time, ip, dns FROM `hostip_lookup`.`table_name`) dbxlookup WHERE "ip" IN (?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,)'
I ran this query manually and I am not getting the expected results.
SELECT "ip", "dns" FROM (SELECT time, ip, dns FROM `hostip_lookup`.`table_name`) dbxlookup
I expected to see the results from my table, instead I see:
|# ip, dns
|ip, dns
|...<repeated>...
|ip, dns
|ip, dns
It appears that using double quotes for the column names ( SELECT "ip", "dns" FROM ... ) is incorrect. And, instead of returning the record values, it is returning "ip" and "dns" for every record. This is generated by DBConnect and I am only able to change the query in the subselect (within the parenthesis () ).
Taking the quotes away from the column names returns the expected results:
SELECT ip, dns FROM (SELECT time, ip, dns FROM `hostip_lookup`.`table_name`) dbxlookup
Questions to my fellow Splunk Ninjas:
1. Is DBConnect generating incorrect SQL? Or, have I configured something wrong?
2. Is there any way to not wrap my query within parentheses? Or can I change how Splunk is quoting my column names?
... View more