I was running Splunk DB Connect version 2.2.0 perfectly and it would return more than one value of a lookup as result1,result2. I have upgraded to 2.4.0 and now the values are displayed as [u'result1', u'result2']. Single values such as result1 are displayed without wrapping them in u'' or the brackets. What setting has changed in 2.4.0 that has caused this? I'm thinking about rolling back to 2.2.0 if I can't resolve this. Thanks in advance!
I would try DBConnect v3 (just out yesterday) and if it is not fixed, I would DEFINITELY open a support ticket.
Sorry, I looked and didn't see anything obvious. You could use the rex and makemv commands etc to make it work if you want.
Other than that I'm thinking the developers of the app will know how to fix it in a few minutes.
This behavior occurs when you're using JSON lib in Python and aren't dumping to string. I assume it's a bug in the code without looking. Which makes me doubt there's a setting to fix it. Just what I'm thinking based on my experience with Python.
Which command are you using when this happens? I can probably debug it and tel you what lines to modify to fix it.
I'm working with support on the issue now, and I'm told that it appears to be a bug. Python should be outputting the values as a string, but it's outputting as a python list for some reason. If you happen to know where in the code I need to look, I'll be glad to give it a try.
Thanks for the reply! Below is a neutralized version of my search:
index=myindex |
iplocation IP | search Country != "United States" |
eval username=lower(username) |
lookup local=1 db_connect_webusers_lookup user_name AS username |
table _time username Country webusers_country
If webusers_country contains one value (a country in this case) it appears as China. If it contains two or more values, it's displayed as [u'China', u'Japan'] and etc. depending on the number of countries.
My research ended up upon the same line of thinking that you're on, but I'm not sure exactly how to troubleshoot. I don't notice any search time errors either.
Thanks again for your help!