Splunk Search

Can you help me with a lookup table behavior question?

wfjarrett538
Explorer

I have a lookup table that is giving me strange search results that I can't figure out — I have a table which is a list of names, and the team they are on:

person1,team1
person2,team1
person3,team2

However, there are people in the data that may not be defined in a team. I was looking to define them as "Other", so I could create searches for them without using nots. So, in my lookup definition I have Minimum Matches set to 1 and Default Matches set to Other. Also, automatic lookups are turned on.

When I search like:

index=myindex

and drill into interesting fields, it shows a count of 239,824 in team Other

If I click on Team other, or search like:

index=myindex team=Other

Then it shows a count of 86,495.

Why would it be showing 239824 on a more general search, and 86495 when searched for specifically with everything else (including time picker) being the same?

After a bit more testing, to rephrase the question:

If I do the automatic lookup, with a minimum match of 1 and the default match=Other set, I get a different count than running:

index=index| fillnull value=Other Team| search Team=Other

Shouldn't they be the same?

0 Karma

bangalorep
Communicator

You can not use fillnull with automatic lookups. Use |inputlookup and then try the fillnull method.

0 Karma

wfjarrett538
Explorer

Oddly, automatic lookup with fillnull is working and is giving the correct result. As is automatic lookup with index=X. It's automatic lookup with index=X field=y that isn't providing the correct result.

0 Karma

HiroshiSatoh
Champion

Automatic lookup is specified by source or source type, but is there any data that is not subject to automatic lookup?

0 Karma

wfjarrett538
Explorer

Hi, thanks for the response. The automatic lookup is set to sourcetype csv, and all of the data is showing as sourcetype=csv

0 Karma

HiroshiSatoh
Champion

Are you misspelling "Team" and "team"?

0 Karma

wfjarrett538
Explorer

No, and to verify I even selected it in interesting fields. If I do an all time search, Team in interesting fields has a count of 239,824. If I click on fields there (which adds Team=Other to the search bar) I only get 86,495 results.

If I get rid of the default value in the lookup and do a "fillnull value=Other Team| search Team=Other " on the search I get 239,824. Also, if I skip the Other bit completely and do a Team!=* I get 239,824.

I only seem to get 86,495 when doing an automatic lookup while relies on the miminum match and default value to populate the Other name. Everything else generates 239,824 and I can't see why doing the search the other way would have different results.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...