All,
i've got a strange issue regarding lookup tables. ((and seen in two lookup tables now)
I have a lookup table "serialnr.csv" containing
serialnumber,host,location
10,device_a,location_a
20,device_b,location_a
30,device_c,location_b
This is also setup in props.conf and transforms.conf
in my index only the serialnumber is seen, and recognized as serialnumber
my serach contains :
index=myindex | lookup serialnr.csv serialnumber as serialnumber output host as hostname | table serialnumber, hostname
output looks like
20 device_b
20 device_b
10 device_a
30 device_c
all info is shown and this works well for several months.
I added 1 line in serialnr.csv with the info of serialnr 25
so serial.csv now contains
serialnumber,host,location
10,device_a,location_a
20,device_b,location_a
25,device_d,location_c
30,device_c,location_b
when i do the same search i get blank fields behind serialnumber 25, where at all other serialnumbers all info is shown.
output is now
20 device_b
20 device_b
10 device_a
30 device_c
25
10 device_a
30 device_c
When doing a stats, based on the result of the lookup, than the record of serialnr 25 will not show at all in the result.
I have the same issue with another lookup table.
I restarted all splunk servers we have in use.
still the issue remains
it must be something simple, but i can't figure out what. (and in the meantime our reports are missing information)
Who has a clue ?
Check to make sure there isn't an extra (or missing) comma in one line of the csv. We've had serious issues when that happens.
Done that, but that seems not to be the issue.