Splunk Search

DBX JOIN 2 databases together

hartfoml
Motivator

I can write a search like this:

| dbquery "DB1" "SELECT A.* AOS.* FROM Assets A JOIN AssetOSs AOS ON A.AssetOSID = AOS.AssetOSID" | Search *

How would I do a dbquery Join Statement for two different databases???

| dbquery "DB1|DB2" "SELECT DB1A.IPAddressStr DB2M.User FROM DB1.Assets DB1A JOIN DB2.Machines DB2M ON DB1A.IPAddressStr = DB2M.IP"

This doesn't work!!

Any help would be great

Tags (2)
0 Karma
1 Solution

linu1988
Champion

we should not do any join and let the data come to splunk. It is wastage of resource and not proper usage of the database engine itself

No need to include any other db in the query. Just put one single query and then write down the query using conventional join. Just include the full name, DB.schema.table name. it will work

View solution in original post

linu1988
Champion

we should not do any join and let the data come to splunk. It is wastage of resource and not proper usage of the database engine itself

No need to include any other db in the query. Just put one single query and then write down the query using conventional join. Just include the full name, DB.schema.table name. it will work

pmdba
Builder

This assumes that the databases are similar, and that you can select all the data you want from a single database (i.e. that the two databases are linked apart from Splunk). If the data sources from different database types (e.g. Oracle and MSSQL) this will not work. If the two databases are not linked in some way to allow one to query the other, then joining the data in Splunk is your only option, even if it's not the most efficient way to do things.

0 Karma

linu1988
Champion

the database engine is more powerful than Splunk's query engine as database knows how the data is stored and retrieved. Selecting them both then do a join in splunk is not proper use of network.The desired data can be taken from the DB directly and then with Splunk's command you can manipulate

For e.g. if you have 10 Million records in both the tables and the desired result is only 30000 records then in DB you only see 20 Million.But when you do it in splunk you are taking 20+20 Million to the join,which takes more time and resource.But joining DB data with splunk's raw data will be useful

0 Karma

hartfoml
Motivator

Can you explain briefly what you mean by "wastage of resource and not proper usage of the database engine" For use no SQL types.

0 Karma

pmdba
Builder
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...