Splunk Search

Lookup Table returning incorrect data

MasterOogway
Communicator

I have a Lookup Table the returns data from all 32 columns, but many times data that is confirmed good in the assetlist.csv file comes back as "unknown". Here is a snippet of my header in assetlist.csv:

logicalname,building,cabinet,cabinetslot,customerfacing,deploystatus

Along with a snippet of the next line under the header:

albia,e,ell_mfrm ax031,02,non-customer,production

Something as simple as asking for the "building" or "cabinet" is returned as "unknown". Here is my search string:

  • earliest=-1m | lookup assetlist logical_name OUTPUT building | stats count by building

and from this search it returns "building 'unknown' count=55129

Any ideas or thoughts behind why some of the data populates but other data doesn't?

I get the same incorrect results when I run this type of search:

  • earliest=-1m | table building cabinet

PS. When building the Lookup Table using the UI I checked the "automatic lookups" option so I get all the fields, all the time. Here is the first six columns from that part of the installation:

assetlist logical_name AS host OUTPUTNEW building AS building cabinet AS cabinet cabinet_slot AS cabinet_slot customer_facing AS customer_facing deploy_status AS deploystatus

This setup is as generic as possible and nothing tricked out to do anything fancy so I would think it would work "all the time".

MasterOogway

0 Karma

tfletcher_splun
Splunk Employee
Splunk Employee

Without more information I think the most likely thing is that your lookup is accidentally configured as a temporal lookup meaning there should be a match but it is trying to get a time dependent match and fails.

Another possibility is that your lookup command is malformed. It looks like you are trying to lookup based on the host field of your data, so the search should be:

earliest=-1m | lookup assetlist logical_name as host OUTPUT building | stats count by building

Also the name in your example is logicalname and in your search logical_name which is it?

For a better answer please provide a sample event, full line of the lookup table, and the props and transforms entries for the events and the lookup.

0 Karma

MasterOogway
Communicator

...more data has come out after my initial posting. It turns out our Asset Management tool is supplying the hosts for the LOOKUP Table in "short names" while the syslog is being indexed as FQDN AND short names. When the lookup table tries to match a FQDN it fails and produces an "unknown" status. Once I figure out how to strip off FQDN to short names my searches should be successful.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...