I'm working on a dashboard that shows VPN logins and Citrix XenApp applications with inputs to select a specific business unit and facility name (actual location/complex).

The way I join a Citrix application with a facility and business unit is through three lookup tables:

props.conf:

[xenapp:65:session]
LOOKUP-table1 = business_units_facilities_applications application_name OUTPUTNEW facility_id
LOOKUP-table2 = business_units_facilities facility_id OUTPUTNEW facility_id facility_name bunit
LOOKUP-table3 = business_units bunit OUTPUTNEW bunit business_unit_name

FIELDALIAS-xenapp_fields = BrowserName AS application_name

transforms.conf:

[business_units]
filename = business_units.csv

[business_units_facilities]
filename = business_units_facilities.csv

[business_units_facilities_applications]
filename = business_units_facilities_applications.csv

So what's happening is that the xenapp:65:session contains a field called BrowserName, I alias this to application_name which is in the business_units_facilities_applications lookup. I get a new field facility_id which is used to look up facility_name and bunit in the second table.

The third table looks up the friendly business_unit_name based on bunit. It all works and every field is shown in the search, except when I start drilling down in my search on any of the fields from table2 or table3. Why is that? Here's an example:

When drilling down:

I'm running Splunk 6.1.4. I've tried doing default_match=* and min_matches=1 on the lookup definitions too. Is my SQL-esque way of thinking no good for Splunk lookup tables? Would I need to use a database and DB Connect in order to do this?