I'm having problems with getting a dbquery command to filter the results of a search.
When I run this search :
| dbquery PUMA_T3_ADHOC_REPORTING "select distinct AlertKey from (select AlertKey, update_time from alarm_collector order by update_time asc) where rownum = 1"
| eval PointCode = ALERTKEY
| table PointCode
I get a single result, a field called PointCode with a value of RTOX9891.
When I run this search :
index=ams sourcetype=ams TitleCode=GS TitleIndex=0120 EventType=TSAM*
[search dbquery PUMA_T3_ADHOC_REPORTING "select distinct AlertKey from (select AlertKey, update_time from alarm_collector order by update_time asc) where rownum = 1"
| eval PointCode = ALERTKEY
| table PointCode]
I get no resuts, even though when I run this search :
index=ams sourcetype=ams TitleCode=GS TitleIndex=0120 EventType=TSAM* PointCode=RTOX9891
I get two results.
Should not the second search produce the same results as the third search? The subsearch should filter the outer result set to those having a value for PointCode of RTOX9891.
Any idea why the second search doesn't produce results?
Your subsearch should be just [dbquery... ]
doing [search dbquery ...]
is actually performing a splunk search which isn't quite what you want.
Your subsearch should be just [dbquery... ]
doing [search dbquery ...]
is actually performing a splunk search which isn't quite what you want.
It worked for me as expected.
Thanks!
Can you add your comment as an answer so that I can accept your answer because it was spot on.
Your subsearch should be [dbquery ... ] not [search dbquery ... ]