Dashboard searches aren't working and bh_status.csv isn't generated

[ghost]

Current alerts, suppressed log sources receiving data and non-suppressed log sources receiving data are all showing Error in 'lookup' command: Could not construct lookup 'bh_status.csv, index, sourcetype, host, OUTPUT, status, as, old_status'. See search.log for more details. The bh_status.csv lookup isn't being generated, it's failing at the output eval line: index=summary source="bh_stats_gen" |bh_alert_additions | rex field=eventtype "bh_aggregate-(?<aggregate_fields>.*)" | eval aggregate_fields=if(isnull(aggregate_fields),orig_index.",".orig_sourcetype.",".orig_host,aggregate_fields) | stats max(latest_time) as latest_time values(eventtype) as eventtype sum(count) as count by aggregate_fields | rex field=aggregate_fields "(?<index>[^,]+),(?<sourcetype>[^,]+),(?<host>.*)" | eval host=lower(host),index=lower(index),sourcetype=lower(sourcetype) | lookup expectedTime index,host,sourcetype OUTPUT _key AS key, lateSecs, comments, contact, suppressUntil | fillnull value="-" comments, contact | fillnull value="0" lateSecs, suppressUntil | eval output=mvzip(key, mvzip(suppressUntil, mvzip(comments, mvzip(contact, lateSecs, "|||"), "|||"), "|||"), "|||") | mvexpand output getting: Field 'output' does not exist in the data.

[hl-tstrawbridge]

@MikeAnderson-E16247 Thanks for brining this to our attention. Version 4.3.1 removes the references to bh_status.csv and reworks some later search logic to fix this issue.