- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Can you help me with a lookup table behavior q...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you help me with a lookup table behavior question?
I have a lookup table that is giving me strange search results that I can't figure out — I have a table which is a list of names, and the team they are on:
person1,team1
person2,team1
person3,team2
However, there are people in the data that may not be defined in a team. I was looking to define them as "Other", so I could create searches for them without using nots. So, in my lookup definition I have Minimum Matches set to 1 and Default Matches set to Other. Also, automatic lookups are turned on.
When I search like:
index=myindex
and drill into interesting fields, it shows a count of 239,824 in team Other
If I click on Team other, or search like:
index=myindex team=Other
Then it shows a count of 86,495.
Why would it be showing 239824 on a more general search, and 86495 when searched for specifically with everything else (including time picker) being the same?
After a bit more testing, to rephrase the question:
If I do the automatic lookup, with a minimum match of 1 and the default match=Other set, I get a different count than running:
index=index| fillnull value=Other Team| search Team=Other
Shouldn't they be the same?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can not use fillnull with automatic lookups. Use |inputlookup and then try the fillnull method.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oddly, automatic lookup with fillnull is working and is giving the correct result. As is automatic lookup with index=X. It's automatic lookup with index=X field=y that isn't providing the correct result.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Automatic lookup is specified by source or source type, but is there any data that is not subject to automatic lookup?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, thanks for the response. The automatic lookup is set to sourcetype csv, and all of the data is showing as sourcetype=csv
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you misspelling "Team" and "team"?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, and to verify I even selected it in interesting fields. If I do an all time search, Team in interesting fields has a count of 239,824. If I click on fields there (which adds Team=Other to the search bar) I only get 86,495 results.
If I get rid of the default value in the lookup and do a "fillnull value=Other Team| search Team=Other " on the search I get 239,824. Also, if I skip the Other bit completely and do a Team!=* I get 239,824.
I only seem to get 86,495 when doing an automatic lookup while relies on the miminum match and default value to populate the Other name. Everything else generates 239,824 and I can't see why doing the search the other way would have different results.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
