All Apps and Add-ons

DB Connect V2: How to create a lookup for an Oracle DB that contains 33 millions entries?



when we try to create a dblookup, based up DB Connect v2, out of a tableview from an Oracle DB with 33 million entries we always get the following error message, after we execute a splunk query that uses the lookup:

09-14-2016 14:59:05.855 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python /opt/splunk/etc/apps/splunk_app_db_connect/bin/ bic_testlookup':  Traceback (most recent call last):
09-14-2016 14:59:05.855 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python /opt/splunk/etc/apps/splunk_app_db_connect/bin/ bic_testlookup':    File "/opt/splunk/etc/apps/splunk_app_db_connect/bin/", line 114, in <module>
09-14-2016 14:59:05.855 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python /opt/splunk/etc/apps/splunk_app_db_connect/bin/ bic_testlookup':      raise ex
09-14-2016 14:59:05.855 ERROR ScriptRunner - stderr from '/opt/splunk/bin/python /opt/splunk/etc/apps/splunk_app_db_connect/bin/ bic_testlookup':  RuntimeError: maximum recursion depth exceeded
09-14-2016 14:59:05.867 ERROR LookupOperator - Script for lookup table 'db_connect_bic_testlookup' returned error code 1.  Results may be incorrect.

With DB Connect v1 our lookup definition with the exact same database worked perfectly fine. What has been changed in v2 and how can we fix it to make it work again?
Thank you in advance.

Splunk Employee
Splunk Employee

without the query, it is impossible to state what might be wrong. However, when you go from v1 to v2.1+ and things stop working, this is usually a good guess:

0 Karma


I filed a case.

Here also the info:

steps to reproduce
1.) Create an Oracle database with a simple schema, six or seven field rows, but 33 million entries.

2.) Setup DBConnect v2 to access the database.

3.) Create a DB Lookup/Mapping based upon the database.

4.) Do a simple search that uses the lookup.

Example setup:

SQL statement out of the inputs.conf:

external_cmd = data_hhdev

savedsearch.conf (contains the scheduled search that uses the dblookup):
search = index=myindex Id="*" foostring | lookup data_hhdev ID as Id OUTPUT SOURCE_ID as scid FOOID as FOOID | collect index=summary testmode=0 marker="type=\"foo_type\""

0 Karma


Additional info: I switched of the query wrapping in the db_connections.conf, but no difference.

When i use "|lookup local=1 data_....." it is working.

When i look at the explanation for this switch, it does make sense:

Syntax: local=
Description: If local=true, forces the lookup to run on the search head and not on any remote peers.
Default: false

Since i don´t have dbconnect anywhere else, local=1 must be set when i want to use dbconnect for lookups. I have to test this further.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!