I setup Splunk DB Connect and configured it to use my Oracle database. I verified that Splunk can contact my database as I was able to get a listing of the schema from within the DB Connect app.
What I have are a bunch of FTP logs that are being indexed by Splunk and each file referenced in the FTP logs is cataloged in my database. I want to display additional information for each FTP event (in this test case the MD5 sum for the referenced file stored in the database).
I setup a field extraction for the FTP logs as described here:
hxxp://www.element84.com/multi-field-extractions-in-splunk.htmlI configured db connect using the web interface but here is the configuration that was generated:
bash-3.00$ cat ./apps/search/local/dblookup.conf
[default]
[export_1]
advanced = 0
database = TST3
fields = path,md5
table = export_1
bash-3.00$ cat ./apps/search/local/transforms.conf
[default]
[export_1]
external_cmd = dblookup.py export_1
fields_list = path,md5
The path column in the database is the file name which corresponds to the filename field defined by my field extraction.
This is the query I am attempting to execute:
sourcetype=xferlog | lookup export_1 path as filename
This produces the following error in dbx.log
2013-06-13 21:31:31.201 dbx9378:INFO:BridgeSession - Executing Bridge command: BridgeExecutionInfo{className=com.splunk.dbx.lookup.DatabaseLookupExecutor}
2013-06-13 21:31:31.284 dbx9378:INFO:DatabaseLookupExecutor - Performing simple lookup=export_1
2013-06-13 21:31:31.285 dbx9378:ERROR:DatabaseLookupExecutor - Error while performing SplunkLookup DatabaseLookupExecutor: com.splunk.dbx.lookup.DBLookupException: No such column "path" for table export_1
com.splunk.dbx.lookup.DBLookupException: No such column "path" for table export_1
at com.splunk.dbx.lookup.DatabaseLookupExecutor.performSimpleLookup(DatabaseLookupExecutor.java:59)
at com.splunk.dbx.lookup.DatabaseLookupExecutor.performLookup(DatabaseLookupExecutor.java:41)
at com.splunk.runtime.SplunkLookup.invoke(SplunkLookup.java:26)
at com.splunk.bridge.session.BridgeSession.call(BridgeSession.java:92)
at com.splunk.bridge.session.BridgeSession.call(BridgeSession.java:30)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
at java.util.concurrent.FutureTask.run(FutureTask.java:166)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:722)
2013-06-13 21:31:31.287 dbx9378:INFO:BridgeSession - Caught Exit exception: JavaBridgeExitException{status=1}
2013-06-13 21:31:31.287 dbx9378:INFO:BridgeSession - Execution finished in duration=85 ms with status=1
2013-06-13 21:31:31.289 dbx9378:INFO:ExecutionContext - Execution finished in duration=88 ms
I have no idea why it cannot find the path column in the export_1 database table. The only thing I can think of is that db connect is connecting to the database using different schema than the one that owns export_1, although there is a public synonym for export_1.
Any idea how I have configured this incorrectly?