Splunk Search

lookup does not show new added lines

JeroenDenBoer
Explorer

All,
i've got a strange issue regarding lookup tables. ((and seen in two lookup tables now)
I have a lookup table "serialnr.csv" containing
serialnumber,host,location
10,device_a,location_a
20,device_b,location_a
30,device_c,location_b

This is also setup in props.conf and transforms.conf
in my index only the serialnumber is seen, and recognized as serialnumber
my serach contains :
index=myindex | lookup serialnr.csv serialnumber as serialnumber output host as hostname | table serialnumber, hostname
output looks like
20 device_b
20 device_b
10 device_a
30 device_c

all info is shown and this works well for several months.
I added 1 line in serialnr.csv with the info of serialnr 25
so serial.csv now contains
serialnumber,host,location
10,device_a,location_a
20,device_b,location_a
25,device_d,location_c
30,device_c,location_b

when i do the same search i get blank fields behind serialnumber 25, where at all other serialnumbers all info is shown.
output is now
20 device_b
20 device_b
10 device_a
30 device_c
25
10 device_a
30 device_c

When doing a stats, based on the result of the lookup, than the record of serialnr 25 will not show at all in the result.

I have the same issue with another lookup table.
I restarted all splunk servers we have in use.
still the issue remains

it must be something simple, but i can't figure out what. (and in the meantime our reports are missing information)

Who has a clue ?

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Check to make sure there isn't an extra (or missing) comma in one line of the csv. We've had serious issues when that happens.

0 Karma

JeroenDenBoer
Explorer

Done that, but that seems not to be the issue.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...