Greetings,
I was chatting with a Splunk SE earlier in the week and was complaining that I had a DBConnect to a remote database. Remote is relative here, it is still in our MAN connected via 10Gb fiber. Anyway, I was complaining that my form generated search was taking upwards of 7 minutes to complete. He suggested that I bring the data over to Splunk, especially since it is not terribly time sensitive so a nightly or weekly would work fine.
I suspect if I brought over a dump locally, I could have Splunk monitor the directory it goes into. But would DBConnect recognize it as a database and treat it as such? Is there a way to bring over the data locally from the search?
For completeness, this is the search:
| dbquery "DBNAME" "SELECT * FROM 01003" limit=1000| rename BID as YID | join YID [|dbquery "DBNAME" "SELECT * FROM 01004"] |eval Zip=substr(ZIPCDE,1,5) | search Zip=$zip$ |table ADR,CITY,STATE,ZIPCDE,USRCD
Any advise you have to bring over the MSSQL database and do something like cron the local population of the data w/o causing duplicates would be very much appreciated.
Thanks,
Dave