All Apps and Add-ons

Can I use dbxlookup (db connect 3.1) in data model root search?


I 'm defining some data model and I need to use external lookup on relational db to extend event's data. In classic search I use dbxlookup command of db connect 3.1 but when I use this command on base search of data set in data model I get this error in splunkd:

12-14-2017 11:57:28.197 +0100 ERROR ChunkedExternProcessor - stderr: 11:57:28.195 2169@searchdp-clt-1 [main] INFO  c.splunk.dbx.utils.TrustManagerUtil - action=load_key_manager_succeed
    12-14-2017 11:57:28.581 +0100 ERROR ChunkedExternProcessor - stderr: 11:57:28.579 2169@searchdp-clt-1 [main] INFO  c.s.dbx.command.DbxLookupCommand - action=init_lookup, chunk size is 1000
    12-14-2017 11:57:29.525 +0100 ERROR ChunkedExternProcessor - stderr: 11:57:29.523 2210@searchdp-clt-1 [main] INFO  c.splunk.dbx.utils.TrustManagerUtil - action=load_key_manager_succeed

Example of base search in dataset:

index=dp_api | dbxlookup lookup=lookup_account_list_trackcodes

Moreover dataset list page loading is very very slow and produce same above errors on splunkd log.

Can I use dbxlookup in data model or Is there an alternative method to do db lookup in data model ?

0 Karma


Datamodel root searches can not contain pipes.

Root event datasets are the most commonly-used type of root data model dataset. Each root event dataset broadly represents a type of event. For example, an HTTP Access root event dataset could correspond to access log events, while an Error event corresponds to events with error messages.
Root event datasets are typically defined by a simple constraint. This constraint is what an experienced Splunk user might think of as the first portion of a search, before the pipe character, commands, and arguments are applied. For example, status > 600 and sourcetype=access_* OR sourcetype=iis* are possible event dataset definitions.

From the documentation.

Your only option here would be if you could make that dbxlookup automatic so that it doesn't have to be placed in the search string. I'm not that familiar with dbconnect, so I don't have an answer regarding the feasibility of doing so.

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...