All Apps and Add-ons

Splunk Add-on for Oracle Database missing value from lookup

follings
Engager

I am trying to create a report for failed Oracle logins and noticed that the lookup provided with the Add-on for Oracle Database seems to be missing ORA-01017.

This search of the lookup returns no rows:

| inputlookup oracle_ora_codes.csv
| search ORACODE=ORA-01017

Just to make sure I wasn’t missing something, I checked the oerr utility for 1017 and got the following:

$ oerr ora 1017
01017, 00000, "invalid username/password; logon denied"
// *Cause:
// *Action:

Am I missing something obvious?  Has anyone else run into missing codes?  What is the best way to deal with this?

0 Karma

thambisetty
SplunkTrust
SplunkTrust

TA uses very simple lookup for action where O is success and other than 0 fail. I didn’t see any values for the lookup you mentioned in at least old version of lookup. May be you are referring latest version.

————————————
If this helps, give a like below.
0 Karma

follings
Engager

We are using add-on version 3.7.0 on Splunk 7.3.3.

Our lookup has 19,000+ entries similar to this:

| inputlookup oracle_ora_codes.csv
| head 5

ACTIONCAUSEDESCRIPTIONORACODE
NoneNormal exit.normal, successful completionORA-00000
Either remove the unique restriction or do not insert the key.An UPDATE or INSERT statement attempted to insert a duplicate key. For Trusted Oracle configured in DBMS MAC mode, you may see this message if a duplicate entry exists at a different level.unique constraint (string.string) violatedORA-00001
Either remove the unique restriction or do not insert the key.An UPDATE or INSERT statement attempted to insert a duplicate key. For Trusted Oracle configured in DBMS MAC mode, you may see this message if a duplicate entry exists at a different level.unique constraint (string.string) violatedORA-1
This is used internally; no action is required.The current session was requested to set a trace event by another session.session requested to set trace eventORA-00017
This is used internally; no action is required.The current session was requested to set a trace event by another session.session requested to set trace eventORA-17

 

 

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk Observability Cloud – June 2025

What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...

Almost Too Eventful Assurance: Part 2

Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

 Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research Team (STRT) and ...