Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Results of DB lookup as terms in search string

gpburgett
Splunk Employee
Splunk Employee
‎04-05-2011 07:32 AM

We've got a very interesting use case from a customer that we're trying to get set up for them, but we've been having problems because of some of the constraints of their environment. They are a call/monitoring center for a large company that monitors events from several different systems across their enterprise. Each system has an individual operations team that collects events which are then streamed along to the monitoring center in XML format so that the monitoring center can see them on their dashboards in real-time which is nice. However the events from each system are not normalized with common fields, especially regarding information that could be linked to a specific customer. They have all of their customer information in a separate database but don't have a way of mapping that to the incoming events. So, when they get a call from a customer they have no way of linking the customer probleman to specific events.

The goal:

When a customer complaint comes in, we want the support staff to be able to enter the customer name in a form and first lookup that name in the customer database and return values that could be used as identifiers in related events like customer name, customer code, device number etc. We then want to search for those values in the event data.

The barriers:

Access: The center does not have access to the original events, just a single mixed stream of incoming events so the events cannot be divided into different sourcetypes (as far as I know). 4.2 does not support field extraction by event type, so I can not think of a way to break up the events to define their fields separately.

So I guess my question has two parts:

1) How can I execute a database lookup script using input from a form type search?

and

2) How can I take the results from the database lookup and search on them unrelated to field?

ie) Call Center entered Customer Name: Splunk

Database query returns: CUSTNAME=SPLUNK  CUSTCODE=000001  DEVICENUM=01010101  etc.

Search string: search "SPLUNK" OR "00001" OR "01010101"

PS: I apologize for the long explanation. I just thought it would be useful to have some background information.

Tags (2)
0 Karma
Reply

Dan
Splunk Employee
Splunk Employee
‎01-16-2013 03:27 PM

You can now do this with the DB Connect app. You can either use a lookup or use the dbquery command to pull back identifying information for the customer specified in the form.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...