- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- dbconnect returning data from 2 db's with same fie...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk doesn't seem to work with the AS operator in SQl, but rather expects you to RENAME after the query. But what do you do if the query returns the same field name in 2 dbs like this? When I try to rename off the "m.first_name" it doesnt work.
| dbquery DATABASE " SELECT m.first_name AS mFirstName,
mb.first_name AS mb_firstname
FROM DATABASE.TABLE1 m,
DATABASE.TABLE2 mb
WHERE m.id = mb.entity_id"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As some other threads, "AS alias" does not work properly status quo.
I have escaped that you do the following.
ex.
m.first_name+"" AS mFirstName, mb.first_name+"" AS mb_firstname
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use the Advanced setting when you create your lookup and rename it in the SQL query there. Then it will return as any name you want it to. I had to do this with spaces in column names which Splunk did not know how to handle and it worked great.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As some other threads, "AS alias" does not work properly status quo.
I have escaped that you do the following.
ex.
m.first_name+"" AS mFirstName, mb.first_name+"" AS mb_firstname
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bam this worked! Thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I could use TRIM, I want you to try and TRIM
trim(m.first_name) AS mFirstName, trim(mb.first_name) AS mb_firstname
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The first and last names from both tables have values when just running the query against the SQL db. When adding the suggested (AS) syntax fix to the splunk dbquery the new field names are now displayed in the results from the new search but all the first and last name fields for the renamed table return 0's and not the data from the db.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What data do you missing? Regularity or is likely something?
My environment is MySQL Server 5.5.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This returns the columns now, but doesn't return any data for those renamed columns. running in sql works fine though.
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
