Hi at all,
I'm trying to add a field from a lookup in a Data Model, but the field is always empty in the Data Model, e.g runing a search like the following:
| tstats count values(My_Datamodel.Application) AS Application FROM Datamodel=My_Datamodel BY sourcetype
but if I use the lookup command, it runs:
| tstats count values(My_Datamodel.Application) AS Application FROM Datamodel=My_Datamodel BY sourcetype
| lookup my_lookup.csv sourcetype OUTPUT Application
So the lookup is correct.
When I try to add the field it's possible to add it but it's still always empty:
Does anyone experienced this behavior and found a workaround?
Ciao.
Giuseppe
What if you do the manual lookup with the lookup definition, not the raw CSV - as that's what the DM is doing.
| lookup LOOKUP_DEFINITION sourcetype OUTPUT Application
Hi @bowesmana ,
the lookup (outside the Data Model) correctly runs, for this reason I opened the question in Community, because it seems that there's an issue in the lookup usage in the Data Model.
Ciao.
Giuseppe
@gcusello I think you missed my point - in your example you are using the CSV to test, not the lookup definition, so the test is not the same as the DM. Your test should use the lookup definition to make sure it also works.
Hi @bowesmana ,
to avoid to use a wrong name, I usually use the same name for the lookup and its definition, so even if I use the csv name, I use the definition.
Ciao.
Giuseppe
Ah, ok - hence my confusion - I had to test whether that uses the definition or the csv and it appears to use the definition.
I've always used the abstraction to hide the underlying name of the CSV, as that can sometimes change or be substituted.
Hi @gcusello,
Are automatic lookups working correctly, is the lookup replicated, and is the knowledge bundle up to date and replicating?
Hi @tscroggins ,
thank you for your answer.
I don't have automatic lookups and lookups and knowledge bundles should be correctly replicated because we are on Splunk Cloud.
I could check this opening a case to Support.
Thank you again for your help.
Ciao.
Giuseppe
At a glance, a lookup in the data model definition should work correctly if as previously noted, the lookup definition and lookup source are correctly exported relative to the data model and everything is correctly replicated to the indexers.
What happens when you execute the derived data model search directly? It should contain, for example, with a dataset named Foo and a lookup named bar:
... | lookup bar baz output qux | rename baz as Foo.baz | rename qux as Foo.qux | ...
and as with other fields, the new fields should be addressable using their dataset prefix.
Does an unaccelerated data model return the field?
Hmm... Everything OK with export/permission settings on the lookup?
Hi @PickleRick,
thank you for your answer.
Yes, it's a Global shared lookup with read grants to all, infact it runs in the search.
It seems that there's something strange in the Datamodel construction, as you can see in the shared screenshot.
But it's in Splunk Cloud, so it should be correct!
Ciao.
Giuseppe