I have been staring at this problem for eons but I'm stuck.
I have two dynamic lookups.
volumeCheck (external lookup), fields defined=ip, volumes, vrank
Result; volumeCheck always return vrank=UNK . I expect vrank to be GREEN or AMBER
top10InboundPortProtocol (external lookup), fields defined=port,protocol,rank
Result: returns GREEN, AMBER or RED (works)
I checked the logs and I can see that volumeCheck is returning on the stdout RED or GREEN but on splunk search, it is showing vrank=UNK. I can't see any exception or error in splunkd.log
FYI, i set in the dynamic lookup, minimum matches=1, Default matches to UNK
I have done many dynamic lookups but this one stumped me.