I have a lookup table that is giving me strange search results that I can't figure out — I have a table which is a list of names, and the team they are on:
person1,team1 person2,team1 person3,team2
However, there are people in the data that may not be defined in a team. I was looking to define them as "Other", so I could create searches for them without using nots. So, in my lookup definition I have Minimum Matches set to 1 and Default Matches set to Other. Also, automatic lookups are turned on.
When I search like:
and drill into interesting fields, it shows a count of 239,824 in team Other
If I click on Team other, or search like:
Then it shows a count of 86,495.
Why would it be showing 239824 on a more general search, and 86495 when searched for specifically with everything else (including time picker) being the same?
After a bit more testing, to rephrase the question:
If I do the automatic lookup, with a minimum match of 1 and the default match=Other set, I get a different count than running:
index=index| fillnull value=Other Team| search Team=Other
Shouldn't they be the same?
Oddly, automatic lookup with fillnull is working and is giving the correct result. As is automatic lookup with index=X. It's automatic lookup with index=X field=y that isn't providing the correct result.
No, and to verify I even selected it in interesting fields. If I do an all time search, Team in interesting fields has a count of 239,824. If I click on fields there (which adds Team=Other to the search bar) I only get 86,495 results.
If I get rid of the default value in the lookup and do a "fillnull value=Other Team| search Team=Other " on the search I get 239,824. Also, if I skip the Other bit completely and do a Team!=* I get 239,824.
I only seem to get 86,495 when doing an automatic lookup while relies on the miminum match and default value to populate the Other name. Everything else generates 239,824 and I can't see why doing the search the other way would have different results.