I am trying to create a report for failed Oracle logins and noticed that the lookup provided with the Add-on for Oracle Database seems to be missing ORA-01017.
This search of the lookup returns no rows:
| inputlookup oracle_ora_codes.csv
| search ORACODE=ORA-01017
Just to make sure I wasn’t missing something, I checked the oerr utility for 1017 and got the following:
$ oerr ora 1017
01017, 00000, "invalid username/password; logon denied"
Am I missing something obvious? Has anyone else run into missing codes? What is the best way to deal with this?
TA uses very simple lookup for action where O is success and other than 0 fail. I didn’t see any values for the lookup you mentioned in at least old version of lookup. May be you are referring latest version.
We are using add-on version 3.7.0 on Splunk 7.3.3.
Our lookup has 19,000+ entries similar to this:
| inputlookup oracle_ora_codes.csv | head 5