db_lookups.conf.spec
[<name>] description = <string> # optional # Description for this lookup lookupSQL = <string> # required # Specifies the SQL query for lookups. connection = <string> # required # Specifies the database connection to use. output_column_map = <string> # required # Key/value pairs of database columns to search result column in JSON format. input_column_map = <string> # required # Key/value pairs of search result column to database column in JSON format. ui_input_spl_search = <string> # optional # the splunk spl search which will be used for choosing lookup input_fields ui_input_saved_search = <string> # optional # the splunk saved search which will be used for choosing lookup input_fields ui_use_saved_search = [true|false] # optional # if true, then the UI will use ui_input_saved_search # if false, then the UI will use ui_input_spl_search input_fields = <string> # deprecated since DBX v3.1.0, it is replaced by input_column_map # Specifies the input fields for lookups. output_fields = <string> # deprecated since DBX v3.1.0, it is replaced by output_column_map # Specifies the output fields after lookups. ui_query_mode = [simple|advanced] # deprecated since DBX v3.1.0, it is ignored by the UI # optional # specify whether the ui should use simple mode or advanced mode for SQL queries ui_query_catalog = <string> # deprecated since DBX v3.1.0, it is ignored by the UI # optional # in simple mode, this value will be pre-populated into the catalog dropdown ui_query_schema = <string> # deprecated since DBX v3.1.0, it is ignored by the UI # optional # in simple mode, this value will be pre-populated into the schema dropdown ui_query_table = <string> # deprecated since DBX v3.1.0, it is ignored by the UI # optional # in simple mode, this value will be pre-populated into the query dropdown ui_column_output_map = <string> # deprecated since DBX v3.1.0, it is ignored by the UI # optional # JSON mapping from db result column to field name ui_field_column_map = <value> # deprecated since DBX v3.1.0, it is ignored by the UI # optional # JSON mapping from search result field to db column ui_query_result_columns = <value> # deprecated since DBX v3.1.0, it is ignored by the UI # optional # JSON encoded array of query result columns # stores the columns from the associated lookupSQL
Example:
[test_lookup] lookupSQL = SELECT * FROM `sakila`.`actor` connection = test_connection input_fields = test_input_field output_fields = actor_id ui_query_mode = simple ui_query_catalog = sakila ui_query_schema = NULL ui_query_table = actor ui_input_spl_search = index=main | stats count(*) by test_input_field ui_use_saved_search = 0 ui_query_result_columns = [{"name":"actor_id"},{"name":"first_name"},{"name":"test_input_field"},{"name":"last_update"}] ui_column_output_map = [{"removable":false,"label":"actor_id","value":"actor_id","name":"actor_id","alias":"output_actor_id"}] ui_field_column_map = [{"name":"test_input_field","selected":true,"removable":true,"label":"test_input_field","value":"test_input_field","alias":"test_input_field"}]
db_outputs.conf.spec | identities.conf.spec |
This documentation applies to the following versions of Splunk® DB Connect: 3.8.0, 3.9.0, 3.10.0
Feedback submitted, thanks!