I have a lookup table that contains details about Nessus plugins -- the Nessus ID, Plugin Name, Risk Factor, and a few other fields.
I then lookup data from that table and append it to the results from the vulnerability scanner. For some reason, those lookups are failing consistently for certain plugin IDs, but not others. I've double-checked the lookup table and it contains the data I'm trying to match against.
For example, this search does not return the nessus_plugin_name from the lookup table:
index=vulnerabilities sourcetype=nessus results nessus_id="25220" | lookup nessus_plugin_reference_lookup nessus_id OUTPUT nessus_plugin_name | table nessus_id,nessus_plugin_name
But this search does:
index=vulnerabilities sourcetype=nessus results nessus_id="25220" | join type=left nessus_id [| inputlookup nessus_plugin_reference_lookup] | table nessus_id,nessus_plugin_name
How do I troubleshoot this? Why would a left join work using data from the lookup table, but the lookup command doesn't.
Thx.
Craig
Ideas:
I agree that this sounds weird. I would expect to get the same results from both techniques.