Getting Data In

General question regarding indexing

vikas_gopal
Builder

Hi Guys,

Please help me to understand how indexing will work if we hit to an external database.For example if I prepare a dashboard from SQL database via "splunk db connect app" then how indexing works.

Regards
Vikas

Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

It's not clear what your looking for. Anything DB Connect reads from a SQL database will be stored in the index specified in DB Connect. The indexing itself works the same as for any other data source.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

It's not clear what your looking for. Anything DB Connect reads from a SQL database will be stored in the index specified in DB Connect. The indexing itself works the same as for any other data source.

---
If this reply helps you, Karma would be appreciated.

richgalloway
SplunkTrust
SplunkTrust

You're right. Without a sourcetype, your SQL data would not be broken out into fields. See if you can change the definition of the DB Connect input to add a sourcetype. If that's not possible, you'll have to parse the _raw yourself using rex.

---
If this reply helps you, Karma would be appreciated.
0 Karma

vikas_gopal
Builder

even it is not working if I just mentioned | fields date in the search bar I mean how would splunk knows date field from which database and from which table without source or sourcetype ....Not sure if I am clear to you

0 Karma

richgalloway
SplunkTrust
SplunkTrust

So you can leave the index and sourcetype keywords out of your search since there are no values to use. You'll need to find other criteria to use to narrow your search.

---
If this reply helps you, Karma would be appreciated.
0 Karma

vikas_gopal
Builder

strange I have one database input and for that sourcetype is "None" and Splunk Index is "default" don't think so if solves my purpose....:(

0 Karma

richgalloway
SplunkTrust
SplunkTrust

To find the index name, go to Manager->Data Inputs->Database Inputs and you'll see the index for all defined database inputs. You'll also see the sourcetype names which you can put into your search query.

---
If this reply helps you, Karma would be appreciated.
0 Karma

vikas_gopal
Builder

Thanks Richgalloway,
Thanks for the clarity that indexing works the same for all the data sources. Actually I am not sure which index name specified at the time of DB connect .Is it possible to find out the index name ?

Why I am asking all these basic questions as i want to type a dbquery in Search bar .My dbquery is "| dbquery "databasename" "select date from abc" ".
I want to type it in search bar as
index=?? source=?? sourcetype=?? |fields date

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...