How to troubleshoot lookup tables

responsys_cm · ‎05-29-2012

I have a lookup table that contains details about Nessus plugins -- the Nessus ID, Plugin Name, Risk Factor, and a few other fields.

I then lookup data from that table and append it to the results from the vulnerability scanner. For some reason, those lookups are failing consistently for certain plugin IDs, but not others. I've double-checked the lookup table and it contains the data I'm trying to match against.

For example, this search does not return the nessus_plugin_name from the lookup table:

index=vulnerabilities sourcetype=nessus results nessus_id="25220" | lookup nessus_plugin_reference_lookup nessus_id OUTPUT nessus_plugin_name | table nessus_id,nessus_plugin_name

But this search does:

index=vulnerabilities sourcetype=nessus results nessus_id="25220" | join type=left nessus_id [| inputlookup nessus_plugin_reference_lookup] | table nessus_id,nessus_plugin_name

How do I troubleshoot this? Why would a left join work using data from the lookup table, but the lookup command doesn't.

Thx.

Craig

lguinn2 · ‎05-30-2012

Ideas:

Does the csv file have any special characters (especially whitespace) in it?
Do you have the advanced options setup on the lookup? I suggest that you assign a value like "invalid" to the field that is returned if no match is found (I think it is called default).

I agree that this sounds weird. I would expect to get the same results from both techniques.

How to troubleshoot lookup tables

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!