| map search="| dbxquery connection=\"CMDB009\" query=\"SELECT dra.value, z.email FROM DRES_PRINTABLE z, DRES.CREDENTIAL bc, DRES.CRATTR dra WHERE z.userid = bc.drid AND z.drid = dra.dredid AND dra. | stats count by user, username | sort -count [search index=index1 source="/logs/occurences.log" SERVER_SERVER_CONNECT NOT AMP rex field=_raw "Origusername\((?.+?)\)" Splunk See more information about GoSplunk Join the worlds top companies. To make the username field available, add it to the stats command. The GoSplunk app is an offline repository of the GoSplunk query database. The only fields available after stats are the ones mentioned in the command (user and count in this case). The username field is not available at the end of the query because the stats command stripped it out. Replace $user with $user$ in the map command. | map search="| | dbxquery connection=\"CMDB009\" query=\"SELECT dra.value, z.email FROM DRES_PRINTABLE z, DRES.CREDENTIAL bc, DRES.CRATTR dra WHERE z.userid = bc.drid AND z.drid = dra.dredid AND dra.value in ('$user'):\"" index=index1 (host=xyz OR host=ABC) rex field=_raw "samlToken\=(?>user>.+?):" What I tried so far is this but it does not give me any results. Basically want to add email as additional field for each user returned in query 2. What I want to do is add a column called email from splunk dbxquery 1 for all matching rows by userid in output of query 1. System A receives customer information which is then sent to System B. The join command is used to merge the results of a. If no fields are specified, all fields that are shared by both result sets will be used. Optionally specifies the exact fields to join on. I have two systems, System A and System B. Description: The traditional join command joins the results from the main results pipeline with the search pipeline results provided as the last argument. Hoping that I can get some help from this awesome community. This above query 2 returns a column called user but not email. Hello, I am quite new to Splunk and this is my first post. | "stats count by user | sort -count | table user [search index=index1 source="/logs/occurences.log" SERVER_SERVER_CONNECT NOT AMP rex field=_raw "Origusername\((?>username>.+?)\)" But what happens is that each event just gets a single value (g1, g2 or g3) returned for group instead of a multivalued field that contains all matches. join max0 userid inputlookup testgroup.csv table userId group. | join type=outer usetime=true earlier=true username,host,user Basically the lookup should return all matches as a multivalue field. Xv67383 query is a Splunk query 2 that provides the user ids as follows: index=index1 (host=xyz OR host=ABC) rex field=_raw "samlToken\=(?>user>.+?):" Basically I have a Splunk dbxquery 1 which returns userid and email from database as follows for a particualr user id: | dbxquery connection="CMDB009" query="SELECT dra.value, z.email FROM DRES_PRINTABLE z, DRES.CREDENTIAL bc, DRES.CRATTR dra WHERE z.userid = bc.drid AND z.drid = dra.dredid AND dra.value in ('xy67383') " I am trying to merge Splunk search query with a database query result set.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |