Splunk DB Connect 1: Is it possible to use an eval...

sfatnass · ‎06-10-2015

Hi everybody,

I want to know if it's possible to use an eval before [dbquery "select blablabla"]

For example:

index="indexA" OR index="indexB" |eval newfield=field1 |stats values(newfield) as newfield values(field2) as field2 by  field1 
[dbquery mydatabase "select field2 from my_table"|fields + field2]

well i'm trying to get something like that, but splunk said eval is not used properly

I need to record all values of field1 from the index.
The lookup cannot be used for the requested sql.
if anybody have any idea thx

fdi01 · ‎06-10-2015

try lik:

|dbquery mydatabase "select field2 from my_table"|fields + field2|appendcols [ search index="indexA" OR index="indexB" |eval newfield=field1 |stats values(newfield) as newfield values(field2) as field2 by field1]

sfatnass · ‎06-12-2015

finally the kvstore resolve my problem thx

sfatnass · ‎06-10-2015

the dbquery not match with my index
for informaitons i use many dbquery in my request splunk

fdi01 · ‎06-10-2015

Splunk DB Connect 1: Is it possible to use an eval before dbquery?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!