Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk DB connect DBX Query error

anitaroseline
New Member
‎11-27-2018 03:02 AM

Dear all ,

I have splunk db connect and using many input connections successfully.One specific connection throws this error

Error in 'dbxquery' command: External search command exited unexpectedly with non-zero error code 1.

/****** Script for SelectTopNRows command from SSMS ******/
SELECT TOP 1000 [NUMBER]
,[OPEN]
,[CATEGORY]
,[SUBCATEGORY]
,[MODEL]
,[CURRENT_PHASE]
,[IMPACT]
,[STATUS]
,[PRIORITY]
,[APPROVAL_STATUS]
,[ALERT]
,[ALERT_NAMES]
,[PENDING_GROUPS]
,[REASON]
,[SUBMIT_DATE]
,[UPDATE_DATE]
,[CLOSE_DATE]
,[CANCELLED_DATE]
,[REQUESTOR_NAME]
,[COORDINATOR_NAME]
,[COORDINATOR_DEPT]
,[ASSIGNED_TO]
,[SHIP_TO_CODE]
,[BILL_TO_CODE]
,[TOTAL_COST]
,[BILL_TO_EXT]
,[SHIP_TO_EXT]
,[PROJECT_ID]
,[PLANNED_START]
,[PLANNED_END]
,[REQUESTED_FOR]
,[BRIEF_DESCRIPTION]
,[FUTURE_GROUPS]
,[APPROVED_GROUPS]
,[BILL_TO_DEPT]
,[COMPANY]
,[ALERT_STATUS]
,[SVC_OPTIONS]
,[FOLDER]
,[SLA_BREACH]
,[NEXT_BREACH]
,[SVCCARTID]
,[AGREEMENT_IDS]
,[ASSIGNED_GROUP]
,[UPDATE_ACTION]
,[CUST_VISIBLE]
,[CLOSURE_CODE]
,[CLOSURE_COMMENTS]
,[DELIVERY_DATE]
,[COST_CURRENCY_CODE]
,[CLOSED_BY]
,[DESCRIPTION]
,[GLOBAL_LEAD_TIME]
,[REQUESTED_DATE]
,[MODELNAME]
,[SYSMODTIME]
,[SYSMODUSER]
,[SYSMODCOUNT]
,[SEVERITY]
,[OPENED_BY]
,[AFFECTED_ITEM]
,[LOGICAL_NAME]
,[ESCALATED]
,[OWNER]
,[LABOR]
,[FOREIGN_ID]
,[OTRSREFERENCENUMBER]
,[LASTASSIGNMENTGROUP]
,[REFERENCE_ID]
,[TICKET_TYPE]
,[OTRSINTERFACE]
,[ATTACHDATA]
,[ATTACHFILENAME]
,[LANGUAGE]
,[FULFILMENT_DATEOLY]
,[REQUEST_SUBSTATUS]
,[ATTACHMENTLOCATION]
,[OTRSFILENAME]
,[OTRSFILENAMES]
,[INCIDENT_ID]
,[REQVIPUSER]
,[EUCDEVICETYPE]
,[OSTEREFERENCENUMBER]
,[UPDATEACTION]
,[KPF_ID]
,[BACKTOFULFILLDATE]
,[BACKTOFULFILL]
,[OLY_TTR]
,[OLY_IO_OFFICER]
,[OLY_SALES_OFFICER]
,[OLY_COUNTRY]
,[OLY_ORIGIN]
,[OLY_FIELD_TECHNICIAN]
,[OLY_FIELD_TECHNICIAN1]
,[OLY_BACKTOFULFILL_LIST]
FROM [servicemanager].[dbo].[REQUESTM1] where SYSMODTIME > ? ORDER BY SYSMODTIME ASC

0 Karma
Reply

rapmancz
Explorer
‎02-04-2021 04:43 AM

I have the same issue, but for all connections, "Error in 'dbxquery' command: External search command exited unexpectedly with non-zero error code 1." Splunk is indexing already existing database inputs (from MySQL), I am not able to add any new input because of this failure.  I could not find any records in log files so I do not have a clue what I can change to fix it....

0 Karma
Reply

hpbrand
Explorer
‎03-23-2021 07:21 AM

Hi, had the same problem.  After weeks of troubleshooting I found following entry under default/commands.conf

####### uncomment following lines to revert dbxquery to 3.2.0 version
# [dbxquery]
# run_in_preview = false
# filename = java.path
# chunked = true
# command.arg.1 = -Dlogback.configurationFile=../config/command_logback.xml
# command.arg.2 = -DDBX_COMMAND_LOG_LEVEL=INFO
# command.arg.3 = -cp
# command.arg.4 = ../jars/dbxquery.jar
# command.arg.5 = com.splunk.dbx.command.DbxQueryCommand

Gave it  a try and copied all over to local/commands.conf and it works.

Reply

reswob4
Builder
‎11-28-2018 10:49 AM

Have you tried that query in the SQL Explorer tab on your DB Connect? I found that when I was having problems, running the query there helped me troubleshoot.

0 Karma
Reply

anitaroseline
New Member
‎11-30-2018 04:07 AM

Yes i did and same error persists

0 Karma
Reply

reswob4
Builder
‎12-07-2018 12:57 PM

I'm working with Splunk Support on a similar issue. One suggestion they made to help troubleshoot is to run the query from the Search window.

Here's a copy of the instructions they sent me:

| dbxquery query="LONG_QUERY" connection="YOUR_CONNECTION_NAME" timeout=6000

The easiest way to do this is to hit the “Open In Search” button on the SQL Explorer screen after you have written out the full query (the button is to the upper right corner). When the query opens on the next page just add timeout=6000 to the search as shown above.

As you probably can guess, this will enable you to test different portions of your query quickly. I'm using it to try and narrow down which part of my query is giving me trouble.

You can add or subtract or remove the timeout part......

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-27-2018 04:54 AM

Have you checked the dbx logs? Do the logs on the DB side shed any light on the problem?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

anitaroseline
New Member
‎11-28-2018 02:43 AM

The same query works well while i run in sql studio

0 Karma
Reply

joebisesi
Path Finder
‎11-28-2018 07:44 AM

You said "one specific connection". Can you run other queries against that 'connection'?

0 Karma
Reply

anitaroseline
New Member
‎12-02-2018 10:23 PM

yes it works

0 Karma
Reply

anitaroseline
New Member
‎11-27-2018 11:09 PM

No such errors found.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...