Splunk Search

joining result of a query with another db query

anoopambli
Communicator

I have two queries,

1) index = coreops sourcetype=sitescope_monitorstat UpTime | rex field=_raw "days=\s(?\d+)" | where UpTime>1000 | table remotehost,UpTime | dedup remotehost | sort -UpTime

2) |dbquery OPSCONFIGAPP limit=1000 "select hostname, tier_level_str,classification from opsconfig.ac_servers_for_fsc"

The first query gives me a result of server names and last reboot time like below,
scssum1 1357
lbos655 1187
adal480 1186

The second query is basically asset info of servers and gives result as below,

servername tier level Classification


lbos655 Linux Server Support - Gold Production

servername field is common in both the searches, i want to merge result of both the searches and get an end result like below,

lbos655 1187 Linux Server Support - Gold Production

How can i achieve this?

Tags (1)
0 Karma

musskopf
Builder

Hello anoopambli,

You'll need to use a DB Lookup, which works the same way as a file lookup, the difference is that it uses the SQL a source of data. Have a look on the DB Connect documentation how to do that: http://docs.splunk.com/Documentation/DBX/latest/DeployDBX/Setupadatabaselookuptable

I believe you'll be able to do everything using the GUI, no need to edit files by hand. Another thing to remember is that lookups are case-sensitive.

Hope I pointed you to the right direction.

Cheers

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...