I'm currently facing a curious issue on the lookup :
LOOKUP-vendor_action = pan_vendor_action_lookup vendor_action OUTPUT action
The lookup seems working (it appears in my interesting fields and i can also see values count).
But, when I try to perform a search like : index=firewall action=allowed, the search returns 0 events after only 1 second. If I do the search with the field vendor_action, it works correctly.
I confirmed the issue is also present with TA 6.2.0.
TA 6.2.0 was working perfectly with Splunk 7.0.3. So i suppose the Splunk upgrade changed something.
Other TA are not impacted by this issue.
Thank you for your help.
I have same problem.
My issue is : Search with filtered value based on the field lookup doesn't work (index=firewall action=allowed is empty)
Lookup field "action" works only with in interesting field count or search with table keyword (like index=firewall | table action, vendor_action)
You have a lookup that works and you have a search query that works so what is the problem?
Lookup running but when we add action field in search like exemple:
index="toto" sourcetype="pan:threat" action=allowed
The search take 1 second and was empty.