map search with dbxquery is not returning any Resu...

manunairadavakk · ‎07-25-2019

Hey there,

I have stumbled upon an issue where my below dbxquery map search is not yielding any results.
My intention is to pass a list of student_id values derived from my initial search to the dbxquery and get a list of state with their counts.

index="syslog" TERM(AUS)
| table student_id
| map search="dbxquery query=\"select distinct address_state, count(*)
FROM stud.common.details WHERE site='$student_id$' group by address_state\" connection=Student"

hettervik · ‎06-04-2021

Looks like I'm facing the same issue. When I run the dbxquery directly from the SPL search window it works just fine, but inside the map-command it just hangs forever. Did you ever get this to work?

Nikitha · ‎09-21-2020

Hi, were you able to solve the problem ? I am facing the same issue

kamlesh_vaghela · ‎07-26-2019

@manunairadavakkat

try by adding |.

index="syslog" TERM(AUS)
| table student_id
| map search="| dbxquery query=\"select distinct address_state, count(*)
FROM stud.common.details WHERE site='$student_id$' group by address_state\" connection=Student"

manunairadavakk · ‎07-26-2019

@kamlesh_vaghela
Tried the below query, but no results being displayed, only displays count of events.

index="syslog" TERM(AUS)
| table student_id
| map search="| dbxquery connection=Student query=\"select distinct address_state, count(*)
FROM stud.common.details WHERE group by address_state\" | site='$student_id$' "

kamlesh_vaghela · ‎07-26-2019

@manunairadavakkat

What are your required columns?

manunairadavakk · ‎07-26-2019

@kamlesh_vaghela
Required columns : address_state, count(*)

It should include all those student_id from the earlier search ----
index="syslog" TERM(AUS)
| table student_id

kamlesh_vaghela · ‎07-26-2019

@manunairadavakkat

Can you please try this?

index="syslog" TERM(AUS)
| table student_id
| map search="| dbxquery connection=Student query=\"select distinct address_state, count(*) as count
FROM stud.common.details WHERE group by address_state\" | site='$student_id$' | eval student_id='$student_id$' | table student_id address_state count"

manunairadavakk · ‎07-26-2019

@kamlesh_vaghela
It does not give any results.

Only the below count is shown:

21,657 events   (26/07/2019 18:01:01.000 to 26/07/2019 18:16:01.000)

"No results found" message in the result box

kamlesh_vaghela · ‎07-26-2019

@manunairadavakkat

Can you please execute below search by passing student_id and check results?

| dbxquery connection=Student query="select distinct address_state, count(*) as count
FROM stud.common.details WHERE group by address_state" | site='$student_id$' | eval student_id='$student_id$' | table student_id address_state count

manunairadavakk · ‎07-26-2019

@kamlesh_vaghela

Ran the query directly, it shows 117 results.
When running the above query as well, it shows event count as 117, but no results are displayed

kamlesh_vaghela · ‎07-26-2019

is it possible to share a screenshot?

map search with dbxquery is not returning any Result

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio