Field missing after lookup but existing before

jbrocks · ‎12-10-2020

Im am doing a lookup in a customers Splunk cloud - better to say, I am using Splunk Addon for ASA and there are two lookups for action field. However my problem ist that in this environment something overwrites/cleans the action field after the lookup. The lookup inserts the action field as vendor_action and outputs the action field as Cisco_ASA_action and as action. Cisco_ASA_action field is existing after lookup. Action field is missing after lookup (but surely was existing before). If I output the field as action2, everything is working fine. If I output the filed as action, field is missing. Does anybody have a clue what is happening here? Even if the lookup fails, the action field should be existing. I know that the issue is not with the ASA addon, as the lookup works fine on other Search Heads. Something ist cleaning/overwriting the action field. Any suggestions? As far as I know, lookup is the last thing happening, so I cannot explain, what is going wrong. There are also no other lookups from other apps which might cause this behaviour.

sryedudo · ‎10-19-2021

I am also running into same issue. Did you find the root cause ? Any help regarding this would be appreciated.

Field missing after lookup but existing before

using Splunk Cloud

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?