All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Not able to access saved searches (report) through Splunk ODBC?

manojkumargowda
New Member
‎03-11-2023 10:12 PM

Hello All,

We are not able to access some saved searches through ODBC splunk connector while we can access some saved searches. I guess it is to do with the permissions of the saved searches (report) in Splunk. We tried giving all the accesses to the report, but still it doesn't return any result in QLiksense (reporting tool) using Splunk ODBC.

manojkumargowda_0-1678601316583.png

manojkumargowda_0-1678601493383.png

 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

niyaz006
Path Finder
‎05-08-2023 07:27 PM

Can we pull data directly from the index using odbc? Or only saved searches?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-09-2023 05:39 AM

ODBC does not support ad-hoc queries.  They must invoke a saved search.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

manojkumargowda
New Member
‎03-12-2023 08:52 AM

Also one more thing is, when we run the saved search through ODBC, it creates a job in Splunk. The jobs for the saved searches which are not fetching any records are getting expired in few seconds while the ones that are accessible by Splunk ODBC are usually expires after few minutes. 

Is this something to do with the above issue? 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-12-2023 07:23 AM

That error message do not mean you cannot access the saved search.  It means the saved search ran successfully, but produced no results.  Depending on the search, that my be completely normal.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

manojkumargowda
New Member
‎03-12-2023 08:46 AM

Thanks @richgalloway  for your response.

Yes, you are right. Saved search ran successfully but it didn't fetch any records. The same saved search returns results when I run it in Splunk UI. 

It's weird that I can access some saved searches through Splunk ODBC, but some are not, though both are having same permissions.  

manojkumargowda_0-1678635688385.png

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-12-2023 11:07 AM

Make sure the ODBC user has the role(s) necessary to access the desired saved searches and the indexes that feed them.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...