Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Lookup Table returning incorrect data

MasterOogway
Communicator
‎04-04-2012 09:27 AM

I have a Lookup Table the returns data from all 32 columns, but many times data that is confirmed good in the assetlist.csv file comes back as "unknown". Here is a snippet of my header in assetlist.csv:

logicalname,building,cabinet,cabinetslot,customerfacing,deploystatus

Along with a snippet of the next line under the header:

albia,e,ell_mfrm ax031,02,non-customer,production

Something as simple as asking for the "building" or "cabinet" is returned as "unknown". Here is my search string:

  • earliest=-1m | lookup assetlist logical_name OUTPUT building | stats count by building

and from this search it returns "building 'unknown' count=55129

Any ideas or thoughts behind why some of the data populates but other data doesn't?

I get the same incorrect results when I run this type of search:

  • earliest=-1m | table building cabinet

PS. When building the Lookup Table using the UI I checked the "automatic lookups" option so I get all the fields, all the time. Here is the first six columns from that part of the installation:

assetlist logical_name AS host OUTPUTNEW building AS building cabinet AS cabinet cabinet_slot AS cabinet_slot customer_facing AS customer_facing deploy_status AS deploystatus

This setup is as generic as possible and nothing tricked out to do anything fancy so I would think it would work "all the time".

MasterOogway

0 Karma
Reply

tfletcher_splun
Splunk Employee
Splunk Employee
‎08-21-2012 01:55 PM

Without more information I think the most likely thing is that your lookup is accidentally configured as a temporal lookup meaning there should be a match but it is trying to get a time dependent match and fails.

Another possibility is that your lookup command is malformed. It looks like you are trying to lookup based on the host field of your data, so the search should be:

earliest=-1m | lookup assetlist logical_name as host OUTPUT building | stats count by building

Also the name in your example is logicalname and in your search logical_name which is it?

For a better answer please provide a sample event, full line of the lookup table, and the props and transforms entries for the events and the lookup.

0 Karma
Reply

MasterOogway
Communicator
‎08-22-2012 10:44 AM

...more data has come out after my initial posting. It turns out our Asset Management tool is supplying the hosts for the LOOKUP Table in "short names" while the syslog is being indexed as FQDN AND short names. When the lookup table tries to match a FQDN it fails and produces an "unknown" status. Once I figure out how to strip off FQDN to short names my searches should be successful.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...