A search uses a lookup to enrich results with a field 'status'. After the lookup, some events have empty status values. The lookup file contains a mapping for all possible status codes. What is a likely reason for empty values?
Mismatch prevents matching, resulting in no enrichment.
Why this answer
Option D is correct because the lookup command matches a field in the event (the lookup key) against a field in the lookup file. If the field name in the event does not exactly match the lookup key field name in the lookup file, no match occurs, and the output field (e.g., 'status') remains empty. This is a common misconfiguration when the lookup key field is misspelled or has a different case.
Exam trap
Splunk often tests the distinction between a lookup that returns no match (empty values) versus a lookup that fails due to syntax or data issues, and candidates mistakenly blame duplicate keys or output_fields instead of recognizing a key field mismatch.
How to eliminate wrong answers
Option A is wrong because events that are not indexed would not appear in search results at all, so they cannot have empty status values after a lookup. Option B is wrong because output_fields controls which fields from the lookup file are added to events; incorrect usage would cause missing fields entirely, not empty values for a field that exists. Option C is wrong because duplicate keys in a lookup file cause the lookup to return only the first matching value, not empty values; empty values occur only when no match is found.