Splunk Search

Database lookup during search returning error 1 and error 47

vysean
Explorer

I apologize - I'm a Splunk newbie and my Splunk sysadmin won't answer any questions and says the problem isn't with Splunk (I obviously suspect otherwise).

I have created a database lookup. The credentials used are verified good. I know that Splunk is able to talk to the database, as it is able to pre-fill the database column names. But every time I try to run a search with the lookup command, it generates two warnings "Script for lookup table 'LOOKUP NAME' returned error code 47. Results may be incorrect." And the same with error code 1.

Based on other threads here, I tried running

index=_internal sourcetype=dbx_debug severity=ERROR OR severity=FATAL

and that returned nothing. Stripping out the severity returned 27 records for the past 15 minutes, all of which look normal.

I've created a clone of the database lookup with a CSV, and when I run the same search, but substitute the file system lookup for the database lookup, it works fine. Did I simply mis-configure the database lookup somehow?

I know that the table will return >10,000 rows (about 14,700 specifically) - is that the problem?

What else can I do to troubleshoot, assuming I don't have access to the Splunk file system?

Thanks in advance for your suggestions!

Tags (3)
1 Solution

vysean
Explorer

I gave up on this.

Thanks to this thread (and specifically jpass's response): https://answers.splunk.com/answers/79893/dbconnect-can-we-populate-a-lookup-table-from-database-data..., I've configured a periodic CSV dump out of the database, which is probably a more efficient method anyway, given the relatively infrequent data changes.

View solution in original post

0 Karma

vysean
Explorer

I gave up on this.

Thanks to this thread (and specifically jpass's response): https://answers.splunk.com/answers/79893/dbconnect-can-we-populate-a-lookup-table-from-database-data..., I've configured a periodic CSV dump out of the database, which is probably a more efficient method anyway, given the relatively infrequent data changes.

0 Karma

tpaulsen
Contributor

I have the exact same problem...but my DB contains more than 30 millions entries...a CSV dump is not an option...

0 Karma

jasonbew
Engager

I have the exact same issue. The only 'solution' I find relates to a double \ for the db server which I do not have. What is error code 47 ? It must have a description ?

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...