Hello,

in the past few weeks, we have run into some strange behavior with a data model. It is somehow connected to geofence. We named our lookup definition for it as ld_geoContEurope and used the results in data model. But somehow, the name "ld_geoContEurope" appears in fields values, so we get values like "outOfEurope", "inEurope", and "ld_geoContEurope". And this "ld_geoContEurope" also appeared in other fields of the data model.

But, it only appears when we use tstatswith summerizeonly=t and we try to show respective fields and these are not defined in raw events. For example | tstats summarizeonly=t count by datamodel.speed shows values like

datamodel.speed count
20 3
30 5
ld_geoContEurope 2

as we can see, 2 events don't have a defined attribute speed as it is optional in the event.
When we use command | from datamodel | stats count by speed , it shows only:

speed count
20 3
30 5

as events have defined only those values.
Splunk version 6.5.8

Can someone help?
Thanks for any advice.