Refine your search:

Lookup Table returning incorrect data

0

I have a Lookup Table the returns data from all 32 columns, but many times data that is confirmed good in the assetlist.csv file comes back as "unknown". Here is a snippet of my header in assetlist.csv:

logicalname,building,cabinet,cabinetslot,customerfacing,deploystatus

Along with a snippet of the next line under the header:

albia,e,ell_mfrm ax031,02,non-customer,production

Something as simple as asking for the "building" or "cabinet" is returned as "unknown". Here is my search string:

  • earliest=-1m | lookup assetlist logical_name OUTPUT building | stats count by building

and from this search it returns "building 'unknown' count=55129

Any ideas or thoughts behind why some of the data populates but other data doesn't?

I get the same incorrect results when I run this type of search:

  • earliest=-1m | table building cabinet

PS. When building the Lookup Table using the UI I checked the "automatic lookups" option so I get all the fields, all the time. Here is the first six columns from that part of the installation:

assetlist logical_name AS host OUTPUTNEW building AS building cabinet AS cabinet cabinet_slot AS cabinet_slot customer_facing AS customer_facing deploy_status AS deploystatus

This setup is as generic as possible and nothing tricked out to do anything fancy so I would think it would work "all the time".

MasterOogway

asked 04 Apr '12, 09:27

MasterOogway's gravatar image

MasterOogway
241217
accept rate: 0%

One Answer:
oldestnewestmost voted
0

Without more information I think the most likely thing is that your lookup is accidentally configured as a temporal lookup meaning there should be a match but it is trying to get a time dependent match and fails.

Another possibility is that your lookup command is malformed. It looks like you are trying to lookup based on the host field of your data, so the search should be:

earliest=-1m | lookup assetlist logical_name as host OUTPUT building | stats count by building

Also the name in your example is logicalname and in your search logical_name which is it?

For a better answer please provide a sample event, full line of the lookup table, and the props and transforms entries for the events and the lookup.

link

answered 21 Aug '12, 13:55

tfletcher_splunk's gravatar image

tfletcher_sp...
32323
accept rate: 28%

...more data has come out after my initial posting. It turns out our Asset Management tool is supplying the hosts for the LOOKUP Table in "short names" while the syslog is being indexed as FQDN AND short names. When the lookup table tries to match a FQDN it fails and produces an "unknown" status. Once I figure out how to strip off FQDN to short names my searches should be successful.

(22 Aug '12, 10:44) MasterOogway
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×290
×187
×12

Asked: 04 Apr '12, 09:27

Seen: 726 times

Last updated: 22 Aug '12, 10:44

Related questions

Can't get lookups to work

Generate lookup tables from searches with guarantee of unique entries

DBConnect - Can we populate a lookup table from database data, on a period basis?

lookup data permanent?

Second Indexer/SearchPeer reports "The lookup table '{LOOKUP_TABLE}' does not exist. It is referenced by configuration '{APP}." but it does. What is causing this message?

Multiple Lookups from Sourcetype

Internal lookup

regular expression in my lookup table

lookup table as a search criteria

Copyright © 2005-2012 Splunk Inc. All rights reserved.