Splunk Cloud Platform

Field missing after lookup but existing before


Im am doing a lookup in a customers Splunk cloud - better to say, I am using Splunk Addon for ASA and there are two lookups for action field. However my problem ist that in this environment something overwrites/cleans the action field after the lookup. The lookup inserts the action field as vendor_action and outputs the action field as Cisco_ASA_action and as action. Cisco_ASA_action field is existing after lookup. Action field is missing after lookup (but surely was existing before). If I output the field as action2, everything is working fine. If I output the filed as action, field is missing. Does anybody have a clue what is happening here? Even if the lookup fails, the action field should be existing. I know that the issue is not with the ASA addon, as the lookup works fine on other Search Heads. Something ist cleaning/overwriting the action field. Any suggestions? As far as I know, lookup is the last thing happening, so I cannot explain, what is going wrong. There are also no other lookups from other apps which might cause this behaviour.

Labels (1)
0 Karma

Loves-to-Learn Lots

I am also running into same issue. Did you find the root cause ? Any help regarding this would be appreciated.

0 Karma