Re: Field missing after lookup but existing before

jbrocks · ‎12-10-2020

Im am doing a lookup in a customers Splunk cloud - better to say, I am using Splunk Addon for ASA and there are two lookups for action field. However my problem ist that in this environment something overwrites/cleans the action field after the lookup. The lookup inserts the action field as vendor_action and outputs the action field as Cisco_ASA_action and as action. Cisco_ASA_action field is existing after lookup. Action field is missing after lookup (but surely was existing before). If I output the field as action2, everything is working fine. If I output the filed as action, field is missing. Does anybody have a clue what is happening here? Even if the lookup fails, the action field should be existing. I know that the issue is not with the ASA addon, as the lookup works fine on other Search Heads. Something ist cleaning/overwriting the action field. Any suggestions? As far as I know, lookup is the last thing happening, so I cannot explain, what is going wrong. There are also no other lookups from other apps which might cause this behaviour.

sryedudo · ‎10-19-2021

I am also running into same issue. Did you find the root cause ? Any help regarding this would be appreciated.

Field missing after lookup but existing before

using Splunk Cloud

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?