Splunk DB Connect 1: How can I dynamically search ...

prakharkulshres · ‎07-28-2015

I have a CSV file with three columns, say Name, Address, Lastname. I get Name from the dbquery, so I want to fetch all the rows present in the csv file that matches the name column.
I was trying something like below:

| dbquery schemaname 'select name from xyz' | lookup xyz.csv name

but it didn't work. Can someone share their views on it?

sduff_splunk · ‎07-28-2015

Have you properly added the lookup to Splunk, uploading the file, and then creating the lookup? As per http://docs.splunk.com/Documentation/Splunk/6.2.4/Knowledge/Addfieldsfromexternaldatasources Your lookup usually shouldn't reference the actual CSV file, but the lookup that you've created.

If you're still stuck, try breaking the statement up into smaller searches and confirm that you are getting the results at each stage (i.e., run just the dbquery and ensure you get the name field being produced - this will remove the dbconnect as a source of your problem)

prakharkulshres · ‎07-29-2015

Thanks for your reply, I have created the lookup properly and the dbquery is returning the name. When I try to use the name column from the dbquery to search in the lookup it doesn't return correct value. I tried something like below:

| dbquery schemaname 'select name from xyz' | join type=inner name [ inputlookup xyz]

This returns me name column and the first row in the lookup and not the matching row.

Splunk DB Connect 1: How can I dynamically search from the lookup CSV file with dbquery?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases