Hi,
I'm using a dbxlookup.
While searching WITHOUT the lookup I get all events.
With the dbxlookup there are some events are missing, thus the dbxlookup isn't used in the first step.
All results:
index=main
| fields *
| search source=A
| search ANum=Number
| stats count
Missing results while using BDXLOOKUP
index=main
| fields *
| dbxlookup lookup=Lookup1
| search source=A
| search ANum=Number
| stats count
Thanks.
LH
Hi,
There are two ways to use dbxlookup command.
dbxlookup chunksize= lookup=
The argument refers to the lookup you defined in DB Connect UI.
From DB Connect 3.1.0, dbxlookup command allows users to declare Splunk fields/table column mapping directly in the options. The syntax is similar as lookup. Users do not have to create a lookup in UI before using it in dbxlookup command.dbxlookup connection= query= chunksize= AS OUTPUT AS
Also go through the link below of splunk documentation
https://docs.splunk.com/Documentation/DBX/3.1.4/DeployDBX/Createandmanagedatabaselookups
What events are missing?
Splunk cannot find events during the whole timespan.
-->Searching 7 days --> getting the results for 1 day
Searching day by day I get every event but the whole span --> missing events
I get an error sign under the search but no explanation. In the search.log the error is next to ChunkedExternProcessor
What is the full text of the ChunkedExternProcessor error message?