Hi all,
I've opened a case with support but am wondering if anyone has come across this issue. I just set up the latest Splunk (7.1.2) on RHEL 7 with Spunk DB Connect 3.1.3. I have an old setup (Splunk 6.2 with DB Connect 2.1.x) that I pulled a working dbxquery from and copied into my new system. When I run the query which contains a subsearch, the job inspector is showing that the |dbxquery connection=NCReporter query= contains a space. Here's my search:
| dbxquery connection=NCreporter query=[search index=nc_alarms sourcetype=nc_alarms NODE=* NETWORK=233 (ALERTGROUP=DOOR OR ALERTGROUP=DOOR.D OR ALERTKEY=*Mobility* OR LOCATION=*CELL*) NOT (ALERTGROUP=*A) | table SERVERSERIAL,SERVERNAME | format | eval filter=replace(search,"\"","'") | eval dbquery=("\"SELECT NODE,LOCATION,FIRSTOCCURRENCE,LASTOCCURRENCE,SUMMARY,CLEARTIME,TALLY,ALERTGROUP,ALERTKEY from REPORTER_STATUS where ".search+"\"")|return $dbquery]
It returns a dbx error -1. Looking at the job inspector I see:
|dbxquery connection=NCreporter query= "SELECT NODE,LOCATION,FIRSTOCCURRENCE,LASTOCCURRENCE,SUMMARY,CLEARTIME,TALLY,ALERTGROUP,ALERTKEY from REPORTER_STATUS where ( ( SERVERNAME="WPG2NCOMS_P" AND SERVERSERIAL="1040188954" ) OR ( SERVERNAME="WPG2NCOMS_P" AND SERVERSERIAL="1040200242" ) )" | fields keepcolorder=t "*" "_bkt" "_cd" "_si" "host" "index" "linecount" "source" "sourcetype" "splunk_server" | remotetl nb=300 et=1532386071.000000 lt=1532386971.000000 remove=true max_count=1000 max_prefetch=100
There is a space being added by the dbxquery. If I take the dbxquery out of the mix and just do a normal subsearch, I get the proper string (but of course it does nothing for me as I need to send that query to the database with dbxquery).
Has anyone come across this?
Thanks,
Sean
... View more