Splunk Search

lookup does not show new added lines

Explorer

All,
i've got a strange issue regarding lookup tables. ((and seen in two lookup tables now)
I have a lookup table "serialnr.csv" containing
serialnumber,host,location
10,device_a,location_a
20,device_b,location_a
30,device_c,location_b

This is also setup in props.conf and transforms.conf
in my index only the serialnumber is seen, and recognized as serialnumber
my serach contains :
index=myindex | lookup serialnr.csv serialnumber as serialnumber output host as hostname | table serialnumber, hostname
output looks like
20 device_b
20 device_b
10 device_a
30 device_c

all info is shown and this works well for several months.
I added 1 line in serialnr.csv with the info of serialnr 25
so serial.csv now contains
serialnumber,host,location
10,device_a,location_a
20,device_b,location_a
25,device_d,location_c
30,device_c,location_b

when i do the same search i get blank fields behind serialnumber 25, where at all other serialnumbers all info is shown.
output is now
20 device_b
20 device_b
10 device_a
30 device_c
25
10 device_a
30 device_c

When doing a stats, based on the result of the lookup, than the record of serialnr 25 will not show at all in the result.

I have the same issue with another lookup table.
I restarted all splunk servers we have in use.
still the issue remains

it must be something simple, but i can't figure out what. (and in the meantime our reports are missing information)

Who has a clue ?

0 Karma

SplunkTrust
SplunkTrust

Check to make sure there isn't an extra (or missing) comma in one line of the csv. We've had serious issues when that happens.

0 Karma

Explorer

Done that, but that seems not to be the issue.

0 Karma