All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

UUIDs as variables passed to postgres dbquery / Removing quotes / ?

arichman
Explorer
‎12-17-2014 01:57 PM

Hello,
I've tried a wide variety of queries but Postgres is returning errors when trying to pass a UUID in a variable to my query:
base search | table l_id, l_name | eval l_id_quotes="'".l_id."'" | map maxsearches=100 search="dbquery mydb \"select * from my_table where id LIKE '$l_id_quotes$' \""

The errors look like:
[map]: command="dbquery", A database error occurred: ERROR: syntax error at or near "027e435" Position: 47

Without the eval statement, I was unable to get a single-quoted value for postgres to not parse as a column. And if I exclude single quotes from around '$l_id_quotes$' then the query is always wrapped in double quotes, which causes the same problem with postgres.

In addition to WHERE id LIKE..., I've tried:
WHERE id::varchar='$l_id_quotes$'
WHERE CHARINDEX (id, '$_id_quotes$') > 0
WHERE id IN ('$_id_quotes$')
... all to return the same errors.

The query WHERE id::varchar='fake-literal-valid-uuid' actually works.

Anybody done this successfully with postgres?
Thanks!

Reply
1 Solution
Solved! Jump to solution
Solution

arichman
Explorer
‎12-18-2014 09:07 AM

I'll answer my own question...
I resolved this issue with some egregious string manipulation...

base search | table l_id, l_name | eval sql_str="select name, id::varchar from my_table where id = '".$l_id$."';" | map maxsearches=100 search="| dbquery mydb $sql_str$"

View solution in original post

Reply
Solved! Jump to solution
Solution

arichman
Explorer
‎12-18-2014 09:07 AM

I'll answer my own question...
I resolved this issue with some egregious string manipulation...

base search | table l_id, l_name | eval sql_str="select name, id::varchar from my_table where id = '".$l_id$."';" | map maxsearches=100 search="| dbquery mydb $sql_str$"

Reply
Solved! Jump to solution

mishin
Explorer
‎11-12-2015 10:52 PM

thanks, very useful!!

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...