All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk DB Connect 2: How to pass a Splunk username in my dbxquery?

nimeshkakadiya
Explorer
‎06-08-2016 07:39 AM

I am trying to run a query with variables using the dbxquery command. I want to pass Splunk username in my query. I have tried following, but was not successful:

|rest /services/authentication/current-context | search username!="splunk-system-user" | table username 
| eval user=username 
| eval searchquery="\"SELECT * FROM PERSONS WHERE USERNAME='".user."'\"" 
|search [|dbxquery connection=dev_all_privs query=searchquery shortnames=true|  fields - _*| return ID, FIRST_NAME]| fields *
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ryanoconnor
Builder
‎06-10-2016 11:51 AM

Have you tried using the map command instead?
http://docs.splunk.com/Documentation/Splunk/6.4.1/SearchReference/Map

You might have better luck with something like: 

|rest /services/authentication/current-context | search username!="splunk-system-user" | table username 
 | eval user=username 
 | eval searchquery="\"SELECT * FROM PERSONS WHERE USERNAME='".user."'\"" 
 |map search="|dbxquery connection=dev_all_privs query=$searchquery$ shortnames=true|  fields - _*| return ID, FIRST_NAME"

View solution in original post

Reply
Solved! Jump to solution
Solution

ryanoconnor
Builder
‎06-10-2016 11:51 AM

Have you tried using the map command instead?
http://docs.splunk.com/Documentation/Splunk/6.4.1/SearchReference/Map

You might have better luck with something like: 

|rest /services/authentication/current-context | search username!="splunk-system-user" | table username 
 | eval user=username 
 | eval searchquery="\"SELECT * FROM PERSONS WHERE USERNAME='".user."'\"" 
 |map search="|dbxquery connection=dev_all_privs query=$searchquery$ shortnames=true|  fields - _*| return ID, FIRST_NAME"
Reply
Solved! Jump to solution

nimeshkakadiya
Explorer
‎06-16-2016 08:24 AM

Thank you Ryan!

Just want to make a note here that following query worked for me.

|rest /services/authentication/current-context  | search username!="splunk-system-user"
| eval user=username
| eval searchquery="SELECT * FROM PERSONS WHERE USERNAME='".user."'"
| map search="|dbxquery connection=dev_all_privs query=$searchquery$ shortnames=true| fields - _*"
Reply
Solved! Jump to solution

davebrooking
Contributor
‎06-09-2016 03:33 AM

What version of DBConnect 2 are you using? Take a look at this Answer where spaces in the SQL caused a problem, could that be the cause?

Dave

0 Karma
Reply
Solved! Jump to solution

nimeshkakadiya
Explorer
‎06-10-2016 06:48 AM

Dave,

I am using Version 2.2.0.

Related to the link you mentioned, I don't think that encoded version is required with this version because my following query works just fine. I am not sure if there are other syntax errors with my previous query.

|dbxquery connection=dev_all_privs query="SELECT * FROM PERSONS WHERE USERNAME='JOSEPH'" shortnames=true | fields - _*

Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...