I encountered a very weird behaviour. I kind of found a way around it, but I want to make sure that I didn't misunderstand anything and I want to isolate/define the issue as good as possible.
Maybe this is already known to some of you.
I have a lookup which gives inconsistent results. It seems like if I feed a lot into it via | lookup I don't always get output even if the entry exists. This is inconsistent. One search might return a result, the next might not.
My search is something like this (very simplified)
| index=myindex sourcetype=mysourcetype someparameters=myparameters [|inputlookup listofnumbers.csv | fields number]
| dedup number
| lookup numberToText number output text as text1
| search number <1000
| lookup numberToText number output text as text2
| table number, text1,text2
the first lookup as to lookup about 10000 values. Sometimes they get a text1, sometimes they dont even if they are in the lookup numberToText. The second lookup, now dealing with a smaller amount always seems to give the correct output.
Does anyone ever experience this? I know that subsearches in the top can only return 10k restults to the search. But I am not aware of any restriction of the lookup command itself.
The lookup is a definition which points to a csv. It makes no difference if the csv is addressed directly.
↧