- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Can you help me with a lookup table behavior q...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you help me with a lookup table behavior question?
I have a lookup table that is giving me strange search results that I can't figure out — I have a table which is a list of names, and the team they are on:
person1,team1
person2,team1
person3,team2
However, there are people in the data that may not be defined in a team. I was looking to define them as "Other", so I could create searches for them without using nots. So, in my lookup definition I have Minimum Matches set to 1 and Default Matches set to Other. Also, automatic lookups are turned on.
When I search like:
index=myindex
and drill into interesting fields, it shows a count of 239,824 in team Other
If I click on Team other, or search like:
index=myindex team=Other
Then it shows a count of 86,495.
Why would it be showing 239824 on a more general search, and 86495 when searched for specifically with everything else (including time picker) being the same?
After a bit more testing, to rephrase the question:
If I do the automatic lookup, with a minimum match of 1 and the default match=Other set, I get a different count than running:
index=index| fillnull value=Other Team| search Team=Other
Shouldn't they be the same?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can not use fillnull with automatic lookups. Use |inputlookup and then try the fillnull method.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oddly, automatic lookup with fillnull is working and is giving the correct result. As is automatic lookup with index=X. It's automatic lookup with index=X field=y that isn't providing the correct result.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Automatic lookup is specified by source or source type, but is there any data that is not subject to automatic lookup?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, thanks for the response. The automatic lookup is set to sourcetype csv, and all of the data is showing as sourcetype=csv
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you misspelling "Team" and "team"?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, and to verify I even selected it in interesting fields. If I do an all time search, Team in interesting fields has a count of 239,824. If I click on fields there (which adds Team=Other to the search bar) I only get 86,495 results.
If I get rid of the default value in the lookup and do a "fillnull value=Other Team| search Team=Other " on the search I get 239,824. Also, if I skip the Other bit completely and do a Team!=* I get 239,824.
I only seem to get 86,495 when doing an automatic lookup while relies on the miminum match and default value to populate the Other name. Everything else generates 239,824 and I can't see why doing the search the other way would have different results.
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
