I finally got this working, and it turned out to be something very, very simple. The tables and fields in my database are all in upper case, and our database (Oracle 10g) generlly doesn’t care about case when it is queried. The fields I’ve defined in Splunk have the same names as column names in the database but are in Camel Case.
In the “Lookup Fields” section of my lookup, I had defined the first field (input field/key) in Camel Case, and then down in the “Advanced lookup settings” section, I had also defined the “Input Field” in Camel Case. It appears that, for this lookup to work, I need to define the key in the “Lookup Fields” section in UPPER CASE to match my database and define the input field in the “Advanced lookup settings” section in Camel Case to match the Splunk field. Once I figured out the right combination to put into the Advanced Lookup, it worked!
I don't know if this is the same problem you're encountering or not, jdunlea_splunk, but you might take a second look at your advanced lookups and see it this has anything to do with it.
... View more