I apologize - I'm a Splunk newbie and my Splunk sysadmin won't answer any questions and says the problem isn't with Splunk (I obviously suspect otherwise).
I have created a database lookup. The credentials used are verified good. I know that Splunk is able to talk to the database, as it is able to pre-fill the database column names. But every time I try to run a search with the lookup command, it generates two warnings "Script for lookup table 'LOOKUP NAME' returned error code 47. Results may be incorrect." And the same with error code 1.
Based on other threads here, I tried running
index=_internal sourcetype=dbx_debug severity=ERROR OR severity=FATAL
and that returned nothing. Stripping out the severity returned 27 records for the past 15 minutes, all of which look normal.
I've created a clone of the database lookup with a CSV, and when I run the same search, but substitute the file system lookup for the database lookup, it works fine. Did I simply mis-configure the database lookup somehow?
I know that the table will return >10,000 rows (about 14,700 specifically) - is that the problem?
What else can I do to troubleshoot, assuming I don't have access to the Splunk file system?
Thanks in advance for your suggestions!
I have the exact same issue. The only 'solution' I find relates to a double \ for the db server which I do not have. What is error code 47 ? It must have a description ?
I gave up on this.
Thanks to this thread (and specifically jpass's response): https://answers.splunk.com/answers/79893/dbconnect-can-we-populate-a-lookup-table-from-database-data..., I've configured a periodic CSV dump out of the database, which is probably a more efficient method anyway, given the relatively infrequent data changes.
I have the exact same problem...but my DB contains more than 30 millions entries...a CSV dump is not an option...