I have a Lookup Table the returns data from all 32 columns, but many times data that is confirmed good in the assetlist.csv file comes back as "unknown". Here is a snippet of my header in assetlist.csv:
logicalname,building,cabinet,cabinetslot,customerfacing,deploystatus
Along with a snippet of the next line under the header:
albia,e,ell_mfrm ax031,02,non-customer,production
Something as simple as asking for the "building" or "cabinet" is returned as "unknown". Here is my search string:
and from this search it returns "building 'unknown' count=55129
Any ideas or thoughts behind why some of the data populates but other data doesn't?
I get the same incorrect results when I run this type of search:
PS. When building the Lookup Table using the UI I checked the "automatic lookups" option so I get all the fields, all the time. Here is the first six columns from that part of the installation:
assetlist logical_name AS host OUTPUTNEW building AS building cabinet AS cabinet cabinet_slot AS cabinet_slot customer_facing AS customer_facing deploy_status AS deploystatus
This setup is as generic as possible and nothing tricked out to do anything fancy so I would think it would work "all the time".
MasterOogway
Without more information I think the most likely thing is that your lookup is accidentally configured as a temporal lookup meaning there should be a match but it is trying to get a time dependent match and fails.
Another possibility is that your lookup command is malformed. It looks like you are trying to lookup based on the host field of your data, so the search should be:
earliest=-1m | lookup assetlist logical_name as host OUTPUT building | stats count by building
Also the name in your example is logicalname and in your search logical_name which is it?
For a better answer please provide a sample event, full line of the lookup table, and the props and transforms entries for the events and the lookup.
...more data has come out after my initial posting. It turns out our Asset Management tool is supplying the hosts for the LOOKUP Table in "short names" while the syslog is being indexed as FQDN AND short names. When the lookup table tries to match a FQDN it fails and produces an "unknown" status. Once I figure out how to strip off FQDN to short names my searches should be successful.