Splunk DB Connect: Is it possible to use dbxquery ...

lasonyadj · ‎02-22-2017

Is it possible to use the results of a dbxquery to be used as a variable for a local search. For example, I want to output data on an hour basis using Splunk DB Connect, but in order to make sure that I am not missing any events that may have occured between data extracts, I want to query my oracle table for the max event time and use that as my "earliest" time. Is this possible?

aaraneta_splunk · ‎04-19-2017

@lasonyadj - Did the answer provided by woodcock help provide a working solution to your question? If yes, please don't forget to resolve this post by clicking "Accept". If no, please leave a comment with more feedback. Thanks!

woodcock · ‎02-22-2017

Yes, here is a run-anywhere example (try it for All time and notice that it does it only for an hour):

index=_* 
[| makeresults 
| rename _time AS earliest 
| eval earliest=earliest-3600, latest=now() 
| format "" "" "" "" "" "" 
| rex field=search mode=sed "s/\"//g"]

Yours would just switch out makeresults for your dbxquery command and get rid of the earliest=earliest-3600,.

Splunk DB Connect: Is it possible to use dbxquery results as a variable for local data search?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!