topic Streamed search execute failed because: Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table. in Security https://community.splunk.com/t5/Security/Streamed-search-execute-failed-because-Error-in-lookup-command/m-p/406540#M15501 <P>I have defined the below lookup in <STRONG><EM>search app</EM></STRONG> </P> <P><STRONG><EM>transforms.conf</EM></STRONG><BR /> [lookup_hosts]<BR /> external_type = kvstore<BR /> collection = hosts<BR /> case_sensitive_match = 1<BR /> fields_list = _key,hostname,env,dataCenter,appid,zone,hostname_fwrdr</P> <P><STRONG><EM>collections.conf</EM></STRONG><BR /> [hosts]<BR /> replicate = true<BR /> accelerated_fields.hostname = { "hostname": 1 }<BR /> field.env = string<BR /> field.appid = string<BR /> field.hostname = string<BR /> field.dataCenter = string<BR /> field.zone = string<BR /> field.hostname_fwrdr = string</P> <P>I have defined below automatic lookup in <STRONG><EM>props.conf</EM></STRONG> against the corresponding sourcetype<BR /> [st--acess]<BR /> ANNOTATE_PUNCT = false<BR /> LOOKUP-hosts = lookup_hosts hostname_fwrdr as host OUTPUTNEW env,dataCenter,hostname,zone</P> <P>Automatic lookup didn't work and when i tried Searching data from searchhead with below syntax:<BR /> sourcetype="st-access"| lookup lookup_hosts hostname_fwrdr as host outputnew env</P> <P>I got the error as below<BR /> <STRONG>2 errors occurred while the search was executing. Therefore, search results might be incomplete. Hide errors.<BR /> [idx01] Streamed search execute failed because: Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.<BR /> [idx02] Streamed search execute failed because: Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.</STRONG></P> <P>Please suggest a way to make this working.</P> Tue, 29 Sep 2020 22:47:01 GMT potluri_88 2020-09-29T22:47:01Z Streamed search execute failed because: Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table. https://community.splunk.com/t5/Security/Streamed-search-execute-failed-because-Error-in-lookup-command/m-p/406540#M15501 <P>I have defined the below lookup in <STRONG><EM>search app</EM></STRONG> </P> <P><STRONG><EM>transforms.conf</EM></STRONG><BR /> [lookup_hosts]<BR /> external_type = kvstore<BR /> collection = hosts<BR /> case_sensitive_match = 1<BR /> fields_list = _key,hostname,env,dataCenter,appid,zone,hostname_fwrdr</P> <P><STRONG><EM>collections.conf</EM></STRONG><BR /> [hosts]<BR /> replicate = true<BR /> accelerated_fields.hostname = { "hostname": 1 }<BR /> field.env = string<BR /> field.appid = string<BR /> field.hostname = string<BR /> field.dataCenter = string<BR /> field.zone = string<BR /> field.hostname_fwrdr = string</P> <P>I have defined below automatic lookup in <STRONG><EM>props.conf</EM></STRONG> against the corresponding sourcetype<BR /> [st--acess]<BR /> ANNOTATE_PUNCT = false<BR /> LOOKUP-hosts = lookup_hosts hostname_fwrdr as host OUTPUTNEW env,dataCenter,hostname,zone</P> <P>Automatic lookup didn't work and when i tried Searching data from searchhead with below syntax:<BR /> sourcetype="st-access"| lookup lookup_hosts hostname_fwrdr as host outputnew env</P> <P>I got the error as below<BR /> <STRONG>2 errors occurred while the search was executing. Therefore, search results might be incomplete. Hide errors.<BR /> [idx01] Streamed search execute failed because: Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.<BR /> [idx02] Streamed search execute failed because: Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.</STRONG></P> <P>Please suggest a way to make this working.</P> Tue, 29 Sep 2020 22:47:01 GMT https://community.splunk.com/t5/Security/Streamed-search-execute-failed-because-Error-in-lookup-command/m-p/406540#M15501 potluri_88 2020-09-29T22:47:01Z