Splunk Search

Issues in adding a lookup field in a Data Model

gcusello
SplunkTrust
SplunkTrust

Hi at all,

I'm trying to add a field from a lookup in a Data Model, but the field is always empty in the Data Model, e.g runing a search like the following:

 

| tstats count values(My_Datamodel.Application) AS Application FROM Datamodel=My_Datamodel BY sourcetype

 

but if I use the lookup command, it runs:

 

| tstats count values(My_Datamodel.Application) AS Application FROM Datamodel=My_Datamodel BY sourcetype
| lookup my_lookup.csv sourcetype OUTPUT Application

 

So the lookup is correct.

When I try to add the field it's possible to add it but it's still always empty:

gcusello_2-1705226653176.png

Does anyone experienced this behavior and found a workaround?

Ciao.

Giuseppe

Labels (1)
Tags (2)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

What if you do the manual lookup with the lookup definition, not the raw CSV - as that's what the DM is doing.

| lookup LOOKUP_DEFINITION sourcetype OUTPUT Application
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @bowesmana ,

the lookup (outside the Data Model) correctly runs, for this reason I opened the question in Community, because it seems that there's an issue in the lookup usage in the Data Model.

Ciao.

Giuseppe

0 Karma

bowesmana
SplunkTrust
SplunkTrust

@gcusello  I think you missed my point - in your example you are using the CSV to test, not the lookup definition, so the test is not the same as the DM. Your test should use the lookup definition to make sure it also works.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @bowesmana ,

to avoid to use a wrong name, I usually use the same name for the lookup and its definition, so even if I use the csv name, I use the definition.

Ciao.

Giuseppe

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Ah, ok - hence my confusion - I had to test whether that uses the definition or the csv and it appears to use the definition.

I've always used the abstraction to hide the underlying name of the CSV, as that can sometimes change or be substituted.

0 Karma

tscroggins
Influencer

Hi @gcusello,

Are automatic lookups working correctly, is the lookup replicated, and is the knowledge bundle up to date and replicating?

gcusello
SplunkTrust
SplunkTrust

Hi @tscroggins ,

thank you for your answer.

I don't have automatic lookups and lookups and knowledge bundles should be correctly replicated because we are on Splunk Cloud.

I could check this opening a case to Support.

Thank you again for your help.

Ciao.

Giuseppe

0 Karma

tscroggins
Influencer

At a glance, a lookup in the data model definition should work correctly if as previously noted, the lookup definition and lookup source are correctly exported relative to the data model and everything is correctly replicated to the indexers.

What happens when you execute the derived data model search directly? It should contain, for example, with a dataset named Foo and a lookup named bar:

... | lookup bar baz output qux | rename baz as Foo.baz | rename qux as Foo.qux | ...

and as with other fields, the new fields should be addressable using their dataset prefix.

Does an unaccelerated data model return the field?

PickleRick
SplunkTrust
SplunkTrust

Hmm... Everything OK with export/permission settings on the lookup?

gcusello
SplunkTrust
SplunkTrust

Hi @PickleRick,

thank you for your answer.

Yes, it's a Global shared lookup with read grants to all, infact it runs in the search.

It seems that there's something strange in the Datamodel construction, as you can see in the shared screenshot.

But it's in Splunk Cloud, so it should be correct!

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...