Splunk DB Connect 1: Is it possible to use an eval...

sfatnass · ‎06-10-2015

Hi everybody,

I want to know if it's possible to use an eval before [dbquery "select blablabla"]

For example:

index="indexA" OR index="indexB" |eval newfield=field1 |stats values(newfield) as newfield values(field2) as field2 by  field1 
[dbquery mydatabase "select field2 from my_table"|fields + field2]

well i'm trying to get something like that, but splunk said eval is not used properly

I need to record all values of field1 from the index.
The lookup cannot be used for the requested sql.
if anybody have any idea thx

fdi01 · ‎06-10-2015

try lik:

|dbquery mydatabase "select field2 from my_table"|fields + field2|appendcols [ search index="indexA" OR index="indexB" |eval newfield=field1 |stats values(newfield) as newfield values(field2) as field2 by field1]

sfatnass · ‎06-12-2015

finally the kvstore resolve my problem thx

sfatnass · ‎06-10-2015

the dbquery not match with my index
for informaitons i use many dbquery in my request splunk

fdi01 · ‎06-10-2015

Splunk DB Connect 1: Is it possible to use an eval before dbquery?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life