I encountered a very weird behaviour. I think to have found a way around it, but I want to make sure that I didn't misunderstand anything and I want to isolate/define the issue as well as possible.
Maybe this is already known to some of you.
Update: I did some more testing and while I still have this issue I have not been able to recreate it with fake data. However I minimized my query to vast degree and pretty much every element is essential now:
|inputlookup faketestlogs.csv
| eval test.number=mvindex('test.number',0,0)
| lookup fakedictionary.csv test.number output color
| eval mydump='test.number'
| eval mydump2=color
| eventstats dc(test.id) as #ids by test.number
| lookup fakedictionary.csv test.number output color as color2
| search test.number=500
So in the real world (even with real data saved to csvs) I get the following result:
color is null (incorrect)
color2 is correct
mydump is correct
mydump2 is null (incorrect)
Removing the mvindex fixes the issue.
Removing the eventstats also fixes the issue.
I still have no idea why. Maybe it's some kind of weird formating issue with splunk interpreting the data in an unintended way?
↧