All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

DB-Connect 3 - dbxlookup with query does not work

Dohrendorf_DB
Engager
‎08-08-2019 12:51 AM

Hi fellow Splunkers,
I am trying to use DB-Connect to enrich search results by doing a dbxlookup against a table.

This is my command: 

| makeresults
| eval value_i_know_to_be_in_database="218024571471"
| dbxlookup query="SELECT * FROM my_table" connection="my_connection" DATABASE_FIELDNAME as value_i_know_to_be_in_database OUTPUT CONTENT as dbx_content

For all I know this is exactly in line with the documentation. To verify that i did not goof the query i also ran:

| dbxquery query="SELECT * FROM my_table" connection="my_connection" 
| outputlookup dbxtest.csv

This returns results and looks right.
I added it to my previos search like this:

| makeresults
| eval value_i_know_to_be_in_database="218024571471"
| dbxlookup query="SELECT * FROM my_table" connection="my_connection" DATABASE_FIELDNAME as value_i_know_to_be_in_database OUTPUT CONTENT as dbx_content
| lookup dbxtest.csv DATABASE_FIELDNAME as value_i_know_to_be_in_database OUTPUT CONTENT as lookup_content

Now I get the expected value in the lookup_content field and still nothing in the dbx_content field.

I have been at this problem for multiple hours now and can't seem to get anywhere. I also tried to use a predefined lookup (which in actual production I can not use because my query needs to be dynamic). Did not work either.

At this point I don`t know what else to try. I have read the docs forward and back, but I can not get anything.

Help me answers.splunk. You are my only hope.

Tags (1)
0 Karma
Reply

SinghK
Builder
‎01-14-2022 06:14 AM

When you run the query from UI donyou get expected results??

0 Karma
Reply

louismai
Path Finder
‎01-15-2022 11:54 PM

Hi @SinghK ,

I go to DataLab > Lookups > New Lookups,

Step 1:  Set Reference Search with time range : results as expected

Step 2: Set Lookup SQL: results as expected

Step 3: Field Mapping:

- Search Fields Match Table Columns (case sensitive)

- Lookup Fields: Table columns chosen

Preview Results:

(...) | dbxlookup connection="Pro_DB" query="SELECT TOP(1000) [SID] ,
        [LogTime] ,
        [DocID]
FROM [Storage].[dbo].[DocStates]
ORDER BY [LogTime] DESC" "SID" AS "SID" OUTPUT "LogTime" AS "Log_Time", "DocID" AS "Doc_ID"

Then I clicked on "Open In Search", only the SPL query returns result, but the dbxlookup fields are all blank.

Tks

Louis

 

0 Karma
Reply

manunairadavakk
Path Finder
‎09-03-2019 04:07 AM

@Dohrendorf_DB

Did you get any help or were able to find any solution?
I am also facing the same issue

0 Karma
Reply

Dohrendorf_DB
Engager
‎09-03-2019 04:09 AM

Sadly no. There was no response to this question in any shape or form so far.

For now I solved my problem by running a subsearch with a join, which seems very wrong, but i couldn't solve it any other way.

Please post in here if you find anything.

0 Karma
Reply

drodman29
Path Finder
‎10-19-2021 10:56 AM

Still broken. 

Solved my issue by running dbxquery output to a csv lookup, then using the normal lookups. 

Reply

louismai
Path Finder
‎01-14-2022 04:26 AM

It seems to be the only one solution for now. I have to use your solution because the bug is still there until now.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...