Hi,
I read about many similar issues here, but I was not able to get a satisfying answer.
I am trying to use a lookup table, lut.csv , to add information to some events. That LUT is written over daily with an outputlookup . Some days, usually in streak of 2-3 days, the lookup will fail for most events.
My search looks like this:
(...) | table ___time, ID, fieldA | lookup lut.csv ID OUTPUT fieldB
With inputlookup , I validated that for ID="banana" , fieldB="yellow" in lut.csv . However, whenever I use lookup, fieldB will be empty.
Here is some information that may be relevant:
I'm using version 4.3.6
When it "fails", about 5-10% of ID will still be succesfully joined to the appropriate fieldB .
I tried the same search, specifying only one ID, it still couldn't join fieldB , but this time generated the following error: Empty csv lookup file (contains only a header) for table 'lut.csv': /opt/splunk/etc/apps/search/lookups/lut.csv (I confirm it is not empty)
Any idea what is the issue (and how to solve it)?
Thanks!
EDIT: This issue is exactly the same, but no answer 😞
http://answers.splunk.com/answers/78891/lookup-does-not-return-results-for-all-fields
... View more