Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- About scottl2k2
scottl2k2
Explorer
Member since:
04-23-2015
06-05-2020
Community Statistics
| Posts | 11 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 1 |
| Member Since | 04-23-2015 |
Activity Feed
- Got Karma for Re: Splunk Add-on for Oracle Database: Why are we unable to retrieve lookup values to add to one of our alerts on Splunk 5.0.3?. 06-05-2020 12:47 AM
- Posted Re: Splunk Add-on for Oracle Database: Why are we unable to retrieve lookup values to add to one of our alerts on Splunk 5.0.3? on All Apps and Add-ons. 04-28-2015 07:03 AM
- Posted Re: Splunk Add-on for Oracle Database: Why are we unable to retrieve lookup values to add to one of our alerts on Splunk 5.0.3? on All Apps and Add-ons. 04-24-2015 01:13 PM
- Posted Re: Splunk Add-on for Oracle Database: Why are we unable to retrieve lookup values to add to one of our alerts on Splunk 5.0.3? on All Apps and Add-ons. 04-24-2015 11:48 AM
- Posted Re: Splunk Add-on for Oracle Database: Why are we unable to retrieve lookup values to add to one of our alerts on Splunk 5.0.3? on All Apps and Add-ons. 04-24-2015 10:27 AM
- Posted Re: Splunk Add-on for Oracle Database: Why are we unable to retrieve lookup values to add to one of our alerts on Splunk 5.0.3? on All Apps and Add-ons. 04-24-2015 08:54 AM
- Posted Re: Splunk Add-on for Oracle Database: Why are we unable to retrieve lookup values to add to one of our alerts on Splunk 5.0.3? on All Apps and Add-ons. 04-24-2015 07:45 AM
- Posted Re: Splunk Add-on for Oracle Database: Why are we unable to retrieve lookup values to add to one of our alerts on Splunk 5.0.3? on All Apps and Add-ons. 04-24-2015 07:18 AM
- Posted Re: Splunk Add-on for Oracle Database: Why are we unable to retrieve lookup values to add to one of our alerts on Splunk 5.0.3? on All Apps and Add-ons. 04-23-2015 03:04 PM
- Posted Re: Splunk Add-on for Oracle Database: Why are we unable to retrieve lookup values to add to one of our alerts on Splunk 5.0.3? on All Apps and Add-ons. 04-23-2015 01:55 PM
- Posted Re: Splunk Add-on for Oracle Database: Why are we unable to retrieve lookup values to add to one of our alerts on Splunk 5.0.3? on All Apps and Add-ons. 04-23-2015 08:57 AM
- Posted Splunk Add-on for Oracle Database: Why are we unable to retrieve lookup values to add to one of our alerts on Splunk 5.0.3? on All Apps and Add-ons. 04-23-2015 07:04 AM
- Tagged Splunk Add-on for Oracle Database: Why are we unable to retrieve lookup values to add to one of our alerts on Splunk 5.0.3? on All Apps and Add-ons. 04-23-2015 07:04 AM
- Tagged Splunk Add-on for Oracle Database: Why are we unable to retrieve lookup values to add to one of our alerts on Splunk 5.0.3? on All Apps and Add-ons. 04-23-2015 07:04 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 |
04-28-2015
07:03 AM
1 Karma
Thanks for your help... when your last suggestion returned no results, it helped me to find my problem.
The results kept showing "RETURNCODE", but if I'd been looking at the "Interesting Fields" section on the left, I would've noticed that the field was listed as "returncode".
I feel foolish, but it was as simple as changing my query to:
index="oracle*" sourcetype="os_audit" action="17"
| lookup oracle_returncode.csv RETURNCODE as returncode OUTPUT result as RC
Thanks!
... View more
04-24-2015
01:13 PM
Thanks... still no luck. RC doesn't show up at all. This is incredibly frustrating, and I appreciate your patience.
I tried setting up the "advanced options" with a minimum and maximum of one, and a default match value of "success". If it's failing to make matches, shouldn't it have returned "success" for every event?
... View more
04-24-2015
11:48 AM
Thanks... I seem to be having some trouble with the regular expression. Could you tell me what it's trying to do?
... View more
04-24-2015
10:27 AM
This only way that I was able to get it to display that way was by surrounding the value in "tripled double-quotes" in the CSV:
"""0"""
It didn't change anything.
If it wasn't able to match the zero, shouldn't it have matched the wildcard?
... View more
04-24-2015
08:54 AM
The result is a table with two columns, and two rows.
> RETURNCODE result
> ---------- --------
> 0 success
> * failure
... View more
04-24-2015
07:45 AM
That's odd - I can see the images. I'm not sure why others cannot. I don't have enough "karma" to post images, unfortunately.
No, I did not get any results for the stats values(RC).
[url=http://postimage.org/][img=http://s29.postimg.org/ooueja5l3/1_All_Fields.jpg][/url]
[url=http://postimage.org/][img=http://s29.postimg.org/smho8osef/2_Results.jpg][/url]
[url=http://postimage.org/][img=http://s29.postimg.org/67zzsgpmv/3_Details.jpg][/url]
Thanks Again,
Scott
... View more
04-24-2015
07:18 AM
I had some difficulty figuring out how to get an image up here. I hope this works...
1) This is what I get when I try to show "All Fields":
2) When I run your search, I get:
3) Clicking "inspect" gives me:
... View more
04-23-2015
03:04 PM
I'll try this first thing in the morning... thanks!
... View more
04-23-2015
01:55 PM
I'm hoping that I understand everything correctly...
The search does return results. The problem we're having is that it does not include the "RC" field.
When I pull up the lookup table as you suggest, we can confirm that "result" is there, and valid. In fact, if I change it to something invalid, I receive an error right away.
"Click on "more fields" and select "All Fields"." - the closest thing I see is "View all 30 fields" in the left column. Clicking that gives me a dialog and RC is nowhere to be found on that list.
Did I misunderstand something?
Thanks!
... View more
04-23-2015
08:57 AM
Thank you for the suggestions...
1) The "politics" of our environment make restarting difficult. I thought that lookups defined through the Web UI did not require a restart?
2) Replacing "as" with "AS" had no effect.
3) "| lookup oracle_returncode.csv" results in the error message "Error in 'lookup' command: Must specify one or more lookup fields.
"| inputlookup oracle_returncode.csv" resulted in a table containing the values from the .CSV.
... View more
04-23-2015
07:04 AM
We are attempting to add lookup values to one of our alerts on a 5.0.3 installation. We do not have access to the file system, so all of our work needs to be done through the Web UI.
I’ve copied the values found at http://docs.splunk.com/Documentation/AddOns/released/Oracle/Lookups and saved them as .CSV files.
I then went to Manager > Lookups > Lookup Table Files and uploaded them in our Oracle “App Context”.
I then visited “Permissions”, and set it to “Read” for “Everyone” in “This app only”.
Back in the app context, if I search for
index="oracle*" sourcetype="os_audit" action="17"
I get many results that look like this:
Apr 23 08:28:05 dvl8-oracle-01 Oracle Audit[8135]: LENGTH: "342" SESSIONID:[8] "26756899" ENTRYID:[1] "2" STATEMENT:[2] "22" USERID:[10] "SHARED_REF" USERHOST:[5] "XXXXXXX" TERMINAL:[7] "unknown" ACTION:[2] "17" RETURNCODE:[1] "0" OBJ$CREATOR:[10] "SHARED_REF" OBJ$NAME:[20] "XXXXXX" OBJ$PRIVILEGES:[16] "---------Y------" AUTH$GRANTEE:[6] "PUBLIC" OS$USERID:[4] "XXXXXX" DBID:[10] "3479291889"
If I change that to
index="oracle*" sourcetype="os_audit" action="17"
| lookup oracle_returncode.csv RETURNCODE as RETURNCODE OUTPUT result as RC
I get the message “Assuming implicit lookup table with filename ‘oracle_returncode.csv’” , but the results are no different. Our goal is to get a human-readable value (RC) to include with our alerts.
It seems that my syntax is correct. If I change the first occurrence of “RETURNCODE” to something else, I get “Error in ‘lookup’ command: Could not find all of the specified lookup fields in the lookup table.” If I change “result”, I get the same message.
I’m new to Splunk - I’ve done quite a bit of searching, and I’ve tried everything that I can think of. Any guidance would be greatly appreciated.
... View more
