Missing events using dbxlookup

LH_SPLUNK · ‎01-14-2019

Hi,
I'm using a dbxlookup.
While searching WITHOUT the lookup I get all events.
With the dbxlookup there are some events are missing, thus the dbxlookup isn't used in the first step.

All results:
index=main
| fields *
| search source=A
| search ANum=Number
| stats count

Thanks.
LH

nikita_p · ‎01-15-2019

Hi,
There are two ways to use dbxlookup command.

dbxlookup chunksize= lookup=
The argument refers to the lookup you defined in DB Connect UI.
From DB Connect 3.1.0, dbxlookup command allows users to declare Splunk fields/table column mapping directly in the options. The syntax is similar as lookup. Users do not have to create a lookup in UI before using it in dbxlookup command.

dbxlookup connection= query= chunksize= AS OUTPUT AS

Also go through the link below of splunk documentation
https://docs.splunk.com/Documentation/DBX/3.1.4/DeployDBX/Createandmanagedatabaselookups

richgalloway · ‎01-14-2019

What events are missing?

---
If this reply helps you, Karma would be appreciated.

LH_SPLUNK · ‎01-15-2019

Splunk cannot find events during the whole timespan.
-->Searching 7 days --> getting the results for 1 day

Searching day by day I get every event but the whole span --> missing events

I get an error sign under the search but no explanation. In the search.log the error is next to ChunkedExternProcessor

richgalloway · ‎01-15-2019

What is the full text of the ChunkedExternProcessor error message?

---
If this reply helps you, Karma would be appreciated.

Missing events using dbxlookup

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes