I am trying to create a report for failed Oracle logins and noticed that the lookup provided with the Add-on for Oracle Database seems to be missing ORA-01017.
This search of the lookup returns no rows:
| inputlookup oracle_ora_codes.csv
| search ORACODE=ORA-01017
Just to make sure I wasn’t missing something, I checked the oerr utility for 1017 and got the following:
$ oerr ora 1017
01017, 00000, "invalid username/password; logon denied"
// *Cause:
// *Action:
Am I missing something obvious? Has anyone else run into missing codes? What is the best way to deal with this?
TA uses very simple lookup for action where O is success and other than 0 fail. I didn’t see any values for the lookup you mentioned in at least old version of lookup. May be you are referring latest version.
We are using add-on version 3.7.0 on Splunk 7.3.3.
Our lookup has 19,000+ entries similar to this:
| inputlookup oracle_ora_codes.csv
| head 5
ACTION | CAUSE | DESCRIPTION | ORACODE |
None | Normal exit. | normal, successful completion | ORA-00000 |
Either remove the unique restriction or do not insert the key. | An UPDATE or INSERT statement attempted to insert a duplicate key. For Trusted Oracle configured in DBMS MAC mode, you may see this message if a duplicate entry exists at a different level. | unique constraint (string.string) violated | ORA-00001 |
Either remove the unique restriction or do not insert the key. | An UPDATE or INSERT statement attempted to insert a duplicate key. For Trusted Oracle configured in DBMS MAC mode, you may see this message if a duplicate entry exists at a different level. | unique constraint (string.string) violated | ORA-1 |
This is used internally; no action is required. | The current session was requested to set a trace event by another session. | session requested to set trace event | ORA-00017 |
This is used internally; no action is required. | The current session was requested to set a trace event by another session. | session requested to set trace event | ORA-17 |