I'm trying to configure an automatic lookup and match multivalue field of IP addresses (in the lookup) on an IP field (in the SPL results). The lookup is a KV Store, and the definition targets that collection.
When I run the lookup definition manually, it works fine.
index=my_index eventtype=my_event_type
| lookup lookup_definition ip_mv AS ip OUTPUTNEW dns
However, when I create an automatic lookup using the same information, it doesn't work.
Any ideas?
I discovered the issue. KV store collections need to be replicated to leverage automatic lookups.
I discovered the issue. KV store collections need to be replicated to leverage automatic lookups.