All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it not possible to run splunk CLI savedsearch with dbouput from a shell script?

yelkey
Explorer
‎09-16-2015 12:42 PM

Hi,

I am new toSplunk. I have a requirement where I am invoking a splunk saved search from a shell script splunk search '|savedsearch "Myreport"'.The saved search has a dboutput statement to update the extracted information from hunk into Oracle. My savedsearch looks something like this 

Index=ABC|mysearch| table a, b, c, d, e 
|dboutput database=XXX type=sql "INSERT INTO xyz 
                        (v,w,x,y,z) 
                        VALUES
                        ($a$, $b$, $c$, $d$, $e$)"

When I run the script ,I am getting an error: 

Error in 'savedsearch' command: Encountered the following error while building a search for saved search 'Myreport' : Error while replacing variable name='a'. Could not find variable in the argument map.

Has anyone encountered this issue? Is it not possible to directly run a saved search with db commands?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-16-2015 03:09 PM

The problem is that the dollar $ sign is a special symbol in saved search to replace parameters. To use the literal $ symbol as required by the dboutput query, replace each $ with 2 $ symbols. So the resultant query should be like this

index=ABC|mysearch| table a, b, c, d, e 
 |dboutput database=XXX type=sql "INSERT INTO xyz 
                         (v,w,x,y,z) 
                         VALUES
                         ($$a$$, $$b$$, $$c$$, $$d$$, $$e$$)"

View solution in original post

Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎09-16-2015 03:09 PM

The problem is that the dollar $ sign is a special symbol in saved search to replace parameters. To use the literal $ symbol as required by the dboutput query, replace each $ with 2 $ symbols. So the resultant query should be like this

index=ABC|mysearch| table a, b, c, d, e 
 |dboutput database=XXX type=sql "INSERT INTO xyz 
                         (v,w,x,y,z) 
                         VALUES
                         ($$a$$, $$b$$, $$c$$, $$d$$, $$e$$)"
Reply
Solved! Jump to solution

yelkey
Explorer
‎09-17-2015 03:48 PM

hi, I have a follow up question. How do I capture and verify the response(exit status) of this CLI savedsearch in the shell script? "$?" is 0 even if the query fails or there is no data to extract. I have to schedule another savedsearch based on whether the above search was successful or not. Thanks in advance for the help!!

0 Karma
Reply
Solved! Jump to solution

yelkey
Explorer
‎09-16-2015 03:45 PM

It works! Thanks a ton!

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...