I am trying to get lookup results into accelerated datamodel, but no luck so far.
I am using network_traffic datamodel, where I have added new auto extracted field.
I have tried to setup automatic lookup, which returns that field. I have confirmed that it is working correctly in search. Permissions are global, everybody has Read, admin Write.
when I use |tstats summary only, it will return that field as empty, when I do same command without summary only, it will return field value correctly
Secondly I have removed automatic lookup and added that lookup directly into datamodel as lookup field. I selected correct lookup, filled all fields and the preview shows everything is fine.
During DM acceleration I end up with error , "lookup could not be found or accessed ...."
Went through all the permissions but no problem there.
IT this some kind of bug in Splunk ?
↧