Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

DBXlookup function in report causing random fields to be blank?

BradOH
Path Finder
7 hours ago

We have a simple report which collates several lookups into a single lookup each night to support our dashboards. We recently added a dbxlookup command to add their user_id from one system, but for whatever strange reason, this causes other source fields to be vanish from the final report. See below...

| inputlookup region1_employees.csv | append [ inputlookup region2_employees.csv ] | append [ inputlookup region3_employees.csv ] 
... do a bunch of stuff...(ldapfilters, etc..)
... add user_id from database...
| dbxlookup connection="DATABASE" query="SELECT User_Id,User_Login FROM db.Users" "User_Login" AS "User_Login" OUTPUT "User_Id" AS "User_Id"
| table Email_Address Name Position Site User_Id User_Login User_First_Name User_Last_Name userAccountControl

If the dbxlookup is NOT included in the report, all fields are returned (except User_Id of course).  When the dbxlookup function is included, some fields are blank in the table (e.g. Position and Site have no values in this example).  What is going on?!?!

Labels (1)
Labels
0 Karma
Reply

tscroggins
Champion
2 hours ago

Hi @BradOH,

Which Splunk DB Connect version and JBDC driver and version are you using? Does the problem only occur when append subsearches are present? Does the problem occur when using makresults, e.g.:

| makeresults format=csv data="
User_Login
jdoe1
"
| dbxlookup connection="DATABASE" query="SELECT User_Id, User_Login FROM db.Users" User_Login output User_Id

On a side note, you can chain inputlookup commands directly without using append subsearches:

| inputlookup region1_employees.csv
| inputlookup append=t region2_employees.csv
| inputlookup append=t region3_employees.csv

 

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
4 hours ago

🌟 Did this answer help you? If so, please consider:

    • Adding karma to show it was useful
    • Marking it as the solution if it resolved your issue
    • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What has goals but no motivation?

June 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...