Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Subsearch NOT with dbxquery

teknet9
Path Finder
‎08-25-2016 02:46 AM

Hello Team,

I do have dbquery from mysql:
|dbxquery query="SELECT mac FROM pc.pc" connection=MYSQL shortnames=true | fields - _*

This one displayes all the mac addresses from mysql.

I also have:
host="10.62.140.64" MACAddress
This one is displaying syslogs with all MACAddress values like MACAddress=00:01:02:03:04:05

I wanted to combine both and have a search which displays only syslogs with MACAddresses which are not in mysql database.
I have tried:
host="10.62.140.64" MACAddress NOT [dbxquery query="SELECT mac FROM pc.pc" connection=MYSQL shortnames=true | fields - _*]

But still all MACAddresses are being displayed. It looks like i can not correlate MACAddress with mac from subsearch. Could you help ?

Thanks,
Michal

0 Karma
Reply

renjith_nair
Legend
‎08-26-2016 08:01 AM

Try this

host="10.62.140.64" MACAddress NOT [|dbxquery query="SELECT mac as MACAddress  FROM pc.pc" connection=MYSQL shortnames=true | fields MACAddress ]
Happy Splunking!
0 Karma
Reply

teknet9
Path Finder
‎08-27-2016 11:29 PM

Hi Renjith.Nair

I can not since then mysql column name is different, so my real query has to remane this field:
host="10.62.140.64" MACAddress NOT [dbxquery query="SELECT mac FROM pc.pc" connection=MYSQL shortnames=true | fields mac | rename mac as MACAddress ]

But what i find interesting is that it looks like dbxquery is searching only for 100 000 entries ? (while i have 171K) ? But when i try to:
add "search MACAddress=00:50:B6:11:EA:CE" to my dbxquery that entry is being returned correctly.

Let me paste dbquery results:
alt text

We can see that mac, while the combined search still returns that record while it should not:
alt text

So maybe it is the issue with max 100k records ? Can i change it somehow ?

Thanks,
Michal

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

renjith_nair
Legend
‎08-28-2016 07:00 PM

I thought you could rename in the select itself ,like mac as MACAddress in SQL. Anyway if you are able to change it somehow it's fine. Subquery limit is 10k and you can change it in http://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf (be careful).
Also try adding format at the end of your subquery ie dbxquery query="SELECT mac FROM pc.pc" connection=MYSQL shortnames=true | fields mac | rename mac as MACAddress|format

Happy Splunking!
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...