Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Database lookup during search returning error 1 an...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I apologize - I'm a Splunk newbie and my Splunk sysadmin won't answer any questions and says the problem isn't with Splunk (I obviously suspect otherwise).
I have created a database lookup. The credentials used are verified good. I know that Splunk is able to talk to the database, as it is able to pre-fill the database column names. But every time I try to run a search with the lookup command, it generates two warnings "Script for lookup table 'LOOKUP NAME' returned error code 47. Results may be incorrect." And the same with error code 1.
Based on other threads here, I tried running
index=_internal sourcetype=dbx_debug severity=ERROR OR severity=FATAL
and that returned nothing. Stripping out the severity returned 27 records for the past 15 minutes, all of which look normal.
I've created a clone of the database lookup with a CSV, and when I run the same search, but substitute the file system lookup for the database lookup, it works fine. Did I simply mis-configure the database lookup somehow?
I know that the table will return >10,000 rows (about 14,700 specifically) - is that the problem?
What else can I do to troubleshoot, assuming I don't have access to the Splunk file system?
Thanks in advance for your suggestions!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I gave up on this.
Thanks to this thread (and specifically jpass's response): https://answers.splunk.com/answers/79893/dbconnect-can-we-populate-a-lookup-table-from-database-data..., I've configured a periodic CSV dump out of the database, which is probably a more efficient method anyway, given the relatively infrequent data changes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I gave up on this.
Thanks to this thread (and specifically jpass's response): https://answers.splunk.com/answers/79893/dbconnect-can-we-populate-a-lookup-table-from-database-data..., I've configured a periodic CSV dump out of the database, which is probably a more efficient method anyway, given the relatively infrequent data changes.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the exact same problem...but my DB contains more than 30 millions entries...a CSV dump is not an option...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the exact same issue. The only 'solution' I find relates to a double \ for the db server which I do not have. What is error code 47 ? It must have a description ?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
