Splunk Search

Cannot get results from dbquery command to display in SimpleResultsTable

dlovett
Path Finder

Scratching my head on this one. I'm relatively new to Splunk and the DBConnect app. I have successfully created several saved searches and have been able to chart the results. However, when I try to display the results of a saved search in a simpleresultstable the Splunk Search Job inspector displays the following:

This search has completed and has returned 10 results by scanning 0 events in 0.829 seconds.
It is an instance of the saved search: RemedyDB Oldest Unresolved Tix.

The following messages were returned by the search subsystem:  
DEBUG: The 'dbquery' command is implemented as an external script and may cause the search to be significantly slower.  
DEBUG: search context: user="admin", app="mcitservicedesk", bs-pathname="D:\Splunk\etc"  

I'm using advanced XML as follows:
<module name="HiddenSavedSearch" layoutPanel="panel_row4_col2" group="Oldest Unsolved Tickets" autoRun="True">
  <param name="savedSearch">Oldest Unresolved Tix</param>
  <module name="SimpleResultsTable">
    <param name="drilldown">none</param>
    <param name="entityName">events</param>
    <param name="allowTransformedFieldSelect">True</param>
  </module>
</module>

Saved Search looks like:

  | dbquery database "SELECT ID, SUBMITTEDBY, CREATEDATE, RESOLVEDDATE, STAFFASSIGNED, MODIFIEDDATE, STATUS, UNIQNAME, GROUPX, CATEGORY, CLASS, ITEM FROM table name WHERE RESOLVEDDATE IS NULL AND INCIDENTX='TKT' AND ROWNUM < =10 ORDER   BY CREATEDATE" limit=10 | eval _time=CREATEDATE | sort+ CREATEDATE

Any help would be greatly appreciated.

0 Karma
1 Solution

sideview
SplunkTrust
SplunkTrust

I would change the entityName param from events to results, like so:

<param name="entityName">results</param>

When you're running a regular Splunk search that can be a difference between the results (think the rows output by a timechart command) and the underlying events (think the events that were aggregated by that timechart command), and as such there's a distinction between events and results built into the API.

Python search commands however rarely output any events and they usually just output results. This seems to be the case with the dbquery command. How all of this results in that weird message coming back to the SimpleResultsTable is another matter, but a secondary one.

Also, if you're using a current version of Sideview Utils, you can use the Table module instead of SimpleResultsTable and it's a bit easier to use.

View solution in original post

sideview
SplunkTrust
SplunkTrust

I would change the entityName param from events to results, like so:

<param name="entityName">results</param>

When you're running a regular Splunk search that can be a difference between the results (think the rows output by a timechart command) and the underlying events (think the events that were aggregated by that timechart command), and as such there's a distinction between events and results built into the API.

Python search commands however rarely output any events and they usually just output results. This seems to be the case with the dbquery command. How all of this results in that weird message coming back to the SimpleResultsTable is another matter, but a secondary one.

Also, if you're using a current version of Sideview Utils, you can use the Table module instead of SimpleResultsTable and it's a bit easier to use.

dlovett
Path Finder

Many thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...