https://community.splunk.com/t5/Splunk-Search/Inaccurate-results-from-a-lookup/m-p/35735#M7850 <P>I tried splitting the lookup table into two 18,000 row (approximately) tables. When I performed the lookup on either table, the results were fine. If I combined the tables into a single one, data from the multi-valued field were still showing up in other fields.</P> Tue, 01 Feb 2011 04:00:25 GMT jambajuice 2011-02-01T04:00:25Z https://community.splunk.com/t5/Splunk-Search/Inaccurate-results-from-a-lookup/m-p/35734#M7849 <P>I have a lookup table that contains CVSS vulnerability metrics. The fields are as follows: </P> <P>"_time","cve_id",score,"access_vector","access_complexity",authentication,"integrity_impact","availability_impact","confidentiality_impact","vuln_product"</P> <P>The vuln_product field is multivalued. Sometimes events may have 100+ items in the vuln_product field. Its data looks like the following: </P> <P>"videolan:vlc_media_player:0.2.82<BR /> videolan:vlc_media_player:0.2.83<BR /> videolan:vlc_media_player:0.2.80"</P> <P>The lookup table is about 11 MB in size. When I perform a search with about 50,000 results and I do a lookup on the cve_id and output the rest of those fields, data from the "vuln_product" field is showing up in other fields. I've double-checked the lookup table and the data looks clean. I've compared the entries in the lookup table with events that were or were not displaying properly and I can't see any difference in the data. </P> <P>What might be the cause of Splunk not successfully getting events out of the lookup table?</P> <P>Thx.</P> <P>Craig </P> Sat, 29 Jan 2011 10:43:01 GMT https://community.splunk.com/t5/Splunk-Search/Inaccurate-results-from-a-lookup/m-p/35734#M7849 jambajuice 2011-01-29T10:43:01Z https://community.splunk.com/t5/Splunk-Search/Inaccurate-results-from-a-lookup/m-p/35735#M7850 <P>I tried splitting the lookup table into two 18,000 row (approximately) tables. When I performed the lookup on either table, the results were fine. If I combined the tables into a single one, data from the multi-valued field were still showing up in other fields.</P> Tue, 01 Feb 2011 04:00:25 GMT https://community.splunk.com/t5/Splunk-Search/Inaccurate-results-from-a-lookup/m-p/35735#M7850 jambajuice 2011-02-01T04:00:25Z https://community.splunk.com/t5/Splunk-Search/Inaccurate-results-from-a-lookup/m-p/35736#M7851 <P>I also tried creating two separate lookup tables. One contains the all of the fields except for the big, multi-valued "vuln_product" field. I created another lookup table that only has cve_id and vuln_product fields. If I do a lookup on the first table and then a lookup on the second table, everything is fine. But if I try and make a lookup on a single, big table, the data gets mashed up. </P> <P>Is this a bug?</P> Mon, 28 Sep 2020 09:23:45 GMT https://community.splunk.com/t5/Splunk-Search/Inaccurate-results-from-a-lookup/m-p/35736#M7851 jambajuice 2020-09-28T09:23:45Z https://community.splunk.com/t5/Splunk-Search/Inaccurate-results-from-a-lookup/m-p/35737#M7852 <P>My suspicion is that your lookup table has multiple key value entries. Assuming the first field is the only key field, check for key uniqueness like this:</P> <PRE><CODE>awk -F, '{print $1}' ${SPLUNK_HOME}/etc/MyApp/lookups/MyLookupFile.csv |&#11; uniq -d </CODE></PRE> Wed, 27 May 2015 13:20:46 GMT https://community.splunk.com/t5/Splunk-Search/Inaccurate-results-from-a-lookup/m-p/35737#M7852 woodcock 2015-05-27T13:20:46Z