- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Passing a field from a database query to another s...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I was playing around with DB connect and it is quite cool. However, when I was trying to make a dashboard out of some tables, I couldn't work out how to pass the values out of the original query.
In the simplest example : -
| dbquery orcl limit=1000 "select count(*) as myValue from tableA" |table myValue
appears to give me a blank value. Although if I leave out everything after the first pipe, it does work.
I also plan to use SideView utils to build some dashboards and will I be able to pass values from the query to other modules?
Thanks in advance.
Cheers,
Steve
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In this particular case you have the problem that Oracle typically returns column names in uppercase. dbquery simply emits the results it gets from the database. So in your example you could fix it by using the column name in upper case in the table command (which is case sensitive).
| dbquery orcl limit=1000 "select count(*) as myValue from tableA" |table MYVALUE
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In this particular case you have the problem that Oracle typically returns column names in uppercase. dbquery simply emits the results it gets from the database. So in your example you could fix it by using the column name in upper case in the table command (which is case sensitive).
| dbquery orcl limit=1000 "select count(*) as myValue from tableA" |table MYVALUE
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Ziegfried. Appreciate it!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's an example using the HR.employees table. I can't seem to put the value of count(*) into a value to move it into another part of a search.
C:\Program Files\Splunk\bin>splunk search "|dbquery orcl limit=1000 \"select count(*) as myEmployees from hr.employees\""
MYEMPLOYEES
-----------
107
C:\Program Files\Splunk\bin>splunk search "|dbquery orcl limit=1000 \"select count(*) as myEmployees from hr.employees\" |table myEmployees"
INFO: No matching fields exist
Does that help?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please explain in more detail what you want to achieve by "passing values out of the original query".
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
