All Apps and Add-ons

Splunk DB Connect 2: The (db) lookup script returned error code 1...

dimoklis
Explorer

Hi all,

Sorry for the "same" title as many other posts have, but I have gone through all the related with no luck I am afraid..

My setup is as following:

Distributed env 1 SH 1 IND both 6.2.2
DB Connect v2 (2.0.4) installed in SH with Java 8 and MySQL J Connector v5.1.*

Setting up DB identities and connections within my app context works perfectly fine.
Setting up db lookups is also almost fine, apart from the fact that I am only getting partial (if any) results in the Preview your Lookup step (5) of the creation process. Lets call this MyLookup in DB Connect.

I have copied the dblookup.py script in my app's bin folder after getting the error that the script does not exist.

I am calling the lookup as following on the DB Fields -call it DBF:

...| rename SPF as DBF| lookup db_connect_MyLookup DBF 

DBF is renamed from my Splunk Field - call it SPF

db_connect_MyLookup is how the db lookup is named automatically in my Splunk Lookups.

All access rights and permissions are set properly I think since i am calling the lookup within my app.

I am getting the aforementioned error without DB Connect complaining in its "Health" service.

The strange thing (for me as a newbie) is that the error comes with my indexer's tag at the front when i am running the search.

like:

[indexerID] The script for the lookup "MyLookup" returned with error code 1. Results may not be complete...etc...

Any thoughts and pointers would be greatly appreciated.

PS. I am getting similar errors when trying to lookup in an Oracle DB using the same setup.

zashishz
New Member

Run your lookup query again once you get "returned with error code 1" error. then search index="_internal" sourcetype=dbx2 to find error you are getting.

Sometimes If you are using java 1.8 in your system then try using ojdbc7.jar. Hope this'll Help

0 Karma

jsilverbears
Path Finder

A couple questions about this:
1) How many rows are you expecting from your lookup? When you say apart from the fact that I am only getting partial (if any) results in the Preview, it sounds like you are not pulling all the rows you are expecting to or there simply is no translation in the lookup for those rows.
2) Does you db lookup work for a time and then starts giving you this error or does it happen immediately? Based off the Preview issue, I suspect immediately.
3) Are you running multiple indexers? I got this error for, probably, a different reason and mine did not mention the indexer, probably because I am only running one. I ask because this may not be a symptom of your problem.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...