Solved: Why doesn't dbquery as a subsearch produce expecte...

NigelCooke · ‎11-20-2014

I'm having problems with getting a dbquery command to filter the results of a search.

When I run this search :

| dbquery PUMA_T3_ADHOC_REPORTING "select distinct AlertKey from (select AlertKey, update_time from alarm_collector order by update_time asc) where rownum = 1"
| eval PointCode = ALERTKEY
| table PointCode

I get a single result, a field called PointCode with a value of RTOX9891.

When I run this search :

index=ams sourcetype=ams TitleCode=GS TitleIndex=0120 EventType=TSAM*
[search dbquery PUMA_T3_ADHOC_REPORTING "select distinct AlertKey from (select AlertKey, update_time from alarm_collector order by update_time asc) where rownum = 1"
| eval PointCode = ALERTKEY
| table PointCode]

I get no resuts, even though when I run this search :

index=ams sourcetype=ams TitleCode=GS TitleIndex=0120 EventType=TSAM* PointCode=RTOX9891

I get two results.

Should not the second search produce the same results as the third search? The subsearch should filter the outer result set to those having a value for PointCode of RTOX9891.

Any idea why the second search doesn't produce results?

acharlieh · ‎11-20-2014

Your subsearch should be just [dbquery... ] doing [search dbquery ...] is actually performing a splunk search which isn't quite what you want.

View solution in original post

acharlieh · ‎11-20-2014

Your subsearch should be just [dbquery... ] doing [search dbquery ...] is actually performing a splunk search which isn't quite what you want.

zarembski · ‎10-31-2017

It worked for me as expected.
Thanks!

NigelCooke · ‎11-20-2014

Can you add your comment as an answer so that I can accept your answer because it was spot on.

acharlieh · ‎11-20-2014

Your subsearch should be [dbquery ... ] not [search dbquery ... ]

Why doesn't dbquery as a subsearch produce expected results?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk