Splunk Enterprise Security

Splunk DB connect DBX Query error

New Member

Dear all ,

I have splunk db connect and using many input connections successfully.One specific connection throws this error

Error in 'dbxquery' command: External search command exited unexpectedly with non-zero error code 1.

/****** Script for SelectTopNRows command from SSMS ******/
FROM [servicemanager].[dbo].[REQUESTM1] where SYSMODTIME > ? ORDER BY SYSMODTIME ASC

0 Karma


I have the same issue, but for all connections, "Error in 'dbxquery' command: External search command exited unexpectedly with non-zero error code 1." Splunk is indexing already existing database inputs (from MySQL), I am not able to add any new input because of this failure.  I could not find any records in log files so I do not have a clue what I can change to fix it....

0 Karma


Hi, had the same problem.  After weeks of troubleshooting I found following entry under default/commands.conf

####### uncomment following lines to revert dbxquery to 3.2.0 version
# [dbxquery]
# run_in_preview = false
# filename = java.path
# chunked = true
# command.arg.1 = -Dlogback.configurationFile=../config/command_logback.xml
# command.arg.2 = -DDBX_COMMAND_LOG_LEVEL=INFO
# command.arg.3 = -cp
# command.arg.4 = ../jars/dbxquery.jar
# command.arg.5 = com.splunk.dbx.command.DbxQueryCommand

Gave it  a try and copied all over to local/commands.conf and it works.


Have you tried that query in the SQL Explorer tab on your DB Connect? I found that when I was having problems, running the query there helped me troubleshoot.

0 Karma

New Member

Yes i did and same error persists

0 Karma


I'm working with Splunk Support on a similar issue. One suggestion they made to help troubleshoot is to run the query from the Search window.

Here's a copy of the instructions they sent me:

| dbxquery query="LONG_QUERY" connection="YOUR_CONNECTION_NAME" timeout=6000

The easiest way to do this is to hit the “Open In Search” button on the SQL Explorer screen after you have written out the full query (the button is to the upper right corner). When the query opens on the next page just add timeout=6000 to the search as shown above.

As you probably can guess, this will enable you to test different portions of your query quickly. I'm using it to try and narrow down which part of my query is giving me trouble.

You can add or subtract or remove the timeout part......

0 Karma


Have you checked the dbx logs? Do the logs on the DB side shed any light on the problem?

If this reply helps you, Karma would be appreciated.
0 Karma

New Member

The same query works well while i run in sql studio

0 Karma

Path Finder

You said "one specific connection". Can you run other queries against that 'connection'?

0 Karma

New Member

yes it works

0 Karma

New Member

No such errors found.

0 Karma
Get Updates on the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...