I am writing a query to lookup processed web domains against a lookup list.
I have defined a lookup named ss3url_lookup, with supported fields named "masktype", "maskid" and "kap_tld". "kap_tld" is used in this case as the input field and is a field extraction I have written, containing a sanitised domain name - the other two are intended to be output fields only and do not exist prior to the lookup.
When running my lookup with the following query, the progress is stalled at the lookup - the query runs as far as the lookup, but no results are ever returned and the query eventually times out:
sourcetype="access_combined_wcookie" | dedup kap_tld | lookup ss3url_lookup kap_tld | table kap_tld, masktype, maskid
I have verified that the kap_tld field exists and contains all values as expected, going into the lookup. But I cannot work out why the lookup stalls as it does.
Does anybody have experience of lookups not running, or know in what circumstances a lookup will stall in this way? If there is any more information I can provide, I'll be happy to do so.
... View more