All Apps and Add-ons

How to set up a Splunk DB Connect 2 Lookup that is available in the Search App?

Path Finder

I am using DB Connect 2 to pull information from database into a lookup table. It is setup correctly but the lookup table is not available in Search app. It looks like it is only available under the DB Connect App. What do I have to do to make it available globally? I found the lookup definition created by DB Connect and changed the permission to global but I still get the following error when I try to use the lookup table in Search App:

Error in 'lookup' command: The lookup table 'db_connect_CarrierLookup' does not exist. 

If I run the exact search under DB Connect V2 app it works.

Path Finder

Okay, thanks in part to the comment by @jcoates, I was able to get it working.

There are 3 components of a DB lookup (4 for automatic lookups):

  • (the python script which does the heavy lifting)
  • a lookup definition defined in transforms.conf
  • a lookup input defined in inputs.conf

In order to get DB lookups defined in other apps to work, you need (at minimum):

  • exported globally
  • your lookup definition exported globally

Here's how I did it.

Export globally

Add the following stanza to $SPLUNK_HOME/etc/apps/splunk_app_db_connect/metadata/local.meta to export the script globally (I couldn't figure out a way to do this via the web interface)

export = system

(At this point, I restarted Splunk)

Define your DB lookup

I used the GUI and selected the app context at the end of the wizard. If you've defined it in the wrong place, you should move the lookup definition via the DB Connect app instead of via the normal Splunk settings page (e.g. edit the config and change the app context), because there's also an input that needs to be moved.

Defining the DB lookup will create the following:

in $SPLUNK_HOME/etc/apps//local/transforms.conf:

[<lookup name>]
external_cmd = <lookup name>
fields_list = <comma-separated list of fields you've defined>

in $SPLUNK_HOME/etc/apps//local/inputs.conf:

[mi_lookup://<lookup name>]
... # there's about 16 entries under this stanza. It contains the raw SQL for the lookup, as well as some other bits and pieces used by the gui

In $SPLUNK_HOME/etc/apps//metadata/local.meta:

[transforms/<lookup name>]

If you've defined the lookup as an automatic lookup, you'll also have entries in $SPLUNK_HOME/etc/apps//local/props.conf like so:

LOOKUP-db_connect_<lookup name> = <lookup name> <field> AS <alias> OUTPUTNEW <field>...

and in $SPLUNK_HOME/etc/apps//metadata/local.meta:

[props/<props_spec>/LOOKUP-db_connect_<lookup name>]
.... # note: setting export = system here is optional. The automatic lookups will work if searches are run from within your app context.

Export your lookup definition globally

You can do this via the settings page in Splunk (you want the lookup definition, not the lookup table).

Alternatively, in $SPLUNK_HOME/etc/apps//metadata/local.meta:

[transforms/<lookup name>]
export = system
... # other stuff already added by Splunk

Revered Legend

Try these steps

1) Go to Settings->Lookups -> Lookup table files, change the App context to DB Connect and locate your lookup table.
2) In the right most column Actions, click on Move for the record of your lookup table and select Search as application and click on Move.
3) You can see the object moved to Search apps and App context is changed to Search. Optionally, you can change it's Sharing to All apps (by clicking on Permissions under Sharing column).

0 Karma

Path Finder

That is the problem - The tables that are created dynamically are not listed there under Lookup Table Files. It is hidden and I have no access to it to change the permission.

0 Karma

Path Finder

DB Connect looks more and more useless every time I try to use it. I had issues before with using DB Connect with outputting data from Splunk - now it looks like lookup using DB Connect is also useless.

According to Splunk Support any data pulled into Splunk using DB Lookup is only available while you are in the DB Connect App context so Lookup tables created by DB Lookup are not available to be used ins searches or alerts or dashboards outside of DB Connect App.

How useless is this feature. If I am importing data using DB Connect to a lookup table it should be obvious that I want to use it in Search App or a dashboard I created under Search App or an alert I setup. What use is it to anyone if it can only be seen under the DB Connect App.

0 Karma

Splunk Employee
Splunk Employee

please try adding these to the local.meta file. this should resolve the issue.

export = system

export = system

Path Finder

Same question as above that which local.meta file are you talking about? If you are talking about the user local.meta then I have to note that we are using LDAP and have lots of users and cannot really go and create local.meta for each user. There really should be a better solution for this.

0 Karma

Splunk Employee
Splunk Employee

into which of the local.meta files?

0 Karma
Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...