Dashboards & Visualizations

DBX: Combining WHERE in custom SQL with rising column

sowings
Splunk Employee
Splunk Employee

I've got a custom query in the DBX app that's trying to perform some filtration on the rows returned. I'm trying to couple this with the rising column logic in a dbmon-tail input.

Example query:

SELECT * FROM USER_SESSION WHERE SUBSTRING(USER_ID, 1, 1) IN ('A', 'B', 'C') AND SUBSTRING(USER_ID, 2, 1) NOT IN ('Z').

Where would the {{ $rising_column$ > ? }} statement go?

I'm assuming that the {{ }} part is making it optional and DB Connect will only fill it in for the "tailing" kind of requests, and not the "first fetch" where it doesn't yet have a value for the rising column. Would I have to enable the tail.follow.only setting?

Tags (2)
0 Karma
1 Solution

jtacy
Builder

You should be able to add {{AND $rising_column$ > ?}} to the end of your statement. I used this approach to only pull recent events from a very large table on the first run:

WHERE ACCESSDATE >= TO_DATE('2013-08-01', 'YYYY-MM-DD')
{{AND $rising_column$ > ?}}

There's some more information about how this works under the "Query generation" heading here:
Configure database inputs

View solution in original post

jtacy
Builder

You should be able to add {{AND $rising_column$ > ?}} to the end of your statement. I used this approach to only pull recent events from a very large table on the first run:

WHERE ACCESSDATE >= TO_DATE('2013-08-01', 'YYYY-MM-DD')
{{AND $rising_column$ > ?}}

There's some more information about how this works under the "Query generation" heading here:
Configure database inputs

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...