Splunk Search
Highlighted

How to troubleshoot lookup tables

Builder

I have a lookup table that contains details about Nessus plugins -- the Nessus ID, Plugin Name, Risk Factor, and a few other fields.

I then lookup data from that table and append it to the results from the vulnerability scanner. For some reason, those lookups are failing consistently for certain plugin IDs, but not others. I've double-checked the lookup table and it contains the data I'm trying to match against.

For example, this search does not return the nessuspluginname from the lookup table:

index=vulnerabilities sourcetype=nessus results nessusid="25220" | lookup nessuspluginreferencelookup nessusid OUTPUT nessuspluginname | table nessusid,nessuspluginname

But this search does:

index=vulnerabilities sourcetype=nessus results nessusid="25220" | join type=left nessusid [| inputlookup nessuspluginreferencelookup] | table nessusid,nessuspluginname

How do I troubleshoot this? Why would a left join work using data from the lookup table, but the lookup command doesn't.

Thx.

Craig

Tags (1)
0 Karma
Highlighted

Re: How to troubleshoot lookup tables

Legend

Ideas:

  • Does the csv file have any special characters (especially whitespace) in it?
  • Do you have the advanced options setup on the lookup? I suggest that you assign a value like "invalid" to the field that is returned if no match is found (I think it is called default).

I agree that this sounds weird. I would expect to get the same results from both techniques.

0 Karma