Suppose I performed the following subsearch
index=whatever "name=" [|inputlookup lookup_file.csv | return 100 $lookup_id]
And lookup_file.csv has only id=456. Against thousands of logs, but one of those log events has the following output:
[name="ABC", id=123, name="DEF", id=456]
I saw that when I performed a search similar to this, the log would be returned with the lookup_id of 456 even though both 123 and 456 were present in the log. Is it expected behavior for inputlookup to return this log even if id=123 is found before id=456? Basically, does inputlookup return logs that have multiple values for the same field?
... View more