All Apps and Add-ons

Can I use dbxlookup (db connect 3.1) in data model root search?

clagese
Explorer

I 'm defining some data model and I need to use external lookup on relational db to extend event's data. In classic search I use dbxlookup command of db connect 3.1 but when I use this command on base search of data set in data model I get this error in splunkd:

12-14-2017 11:57:28.197 +0100 ERROR ChunkedExternProcessor - stderr: 11:57:28.195 2169@searchdp-clt-1 [main] INFO  c.splunk.dbx.utils.TrustManagerUtil - action=load_key_manager_succeed
    12-14-2017 11:57:28.581 +0100 ERROR ChunkedExternProcessor - stderr: 11:57:28.579 2169@searchdp-clt-1 [main] INFO  c.s.dbx.command.DbxLookupCommand - action=init_lookup, chunk size is 1000
    12-14-2017 11:57:29.525 +0100 ERROR ChunkedExternProcessor - stderr: 11:57:29.523 2210@searchdp-clt-1 [main] INFO  c.splunk.dbx.utils.TrustManagerUtil - action=load_key_manager_succeed

Example of base search in dataset:

index=dp_api | dbxlookup lookup=lookup_account_list_trackcodes

Moreover dataset list page loading is very very slow and produce same above errors on splunkd log.

Can I use dbxlookup in data model or Is there an alternative method to do db lookup in data model ?

0 Karma

micahkemp
Champion

Datamodel root searches can not contain pipes.

Root event datasets are the most commonly-used type of root data model dataset. Each root event dataset broadly represents a type of event. For example, an HTTP Access root event dataset could correspond to access log events, while an Error event corresponds to events with error messages.
Root event datasets are typically defined by a simple constraint. This constraint is what an experienced Splunk user might think of as the first portion of a search, before the pipe character, commands, and arguments are applied. For example, status > 600 and sourcetype=access_* OR sourcetype=iis* are possible event dataset definitions.

From the documentation.

Your only option here would be if you could make that dbxlookup automatic so that it doesn't have to be placed in the search string. I'm not that familiar with dbconnect, so I don't have an answer regarding the feasibility of doing so.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...