topic Re: Error in 'lookup' command: Must specify one or more lookup fields. in Knowledge Management

Error in 'lookup' command: Must specify one or more lookup fields.

neelesh_tiwari — Thu, 09 Sep 2021 18:59:57 GMT

I have a lookup table with CVE listed which I dont want to be in our report so we have made the lookup table and adding it to the search

| table Severity, "EC2 Instance ID", "EC2 Instance Name", "Rules Package", Rule, CreatedAt, Links, title, description, recommendation, numericSeverity | lookup ignore_cve.csv

But I am getting an error that " Error in 'lookup' command: Must specify one or more lookup fields."

So Do I have add something else after ignore_cve.csv

Kindly help.@lookup

Re: Error in 'lookup' command: Must specify one or more lookup fields.

s2_splunk — Thu, 09 Sep 2021 19:24:46 GMT

You probably want something like

index=xyz NOT [ inputlookup ignore_cve.csv ] | table ....

lookup is intended for 'translating' things, like key in, value out.

Re: Error in 'lookup' command: Must specify one or more lookup fields.

neelesh_tiwari — Mon, 13 Sep 2021 11:10:57 GMT

Hello @s2_splunk Thanks for your response and yes this is what I am looking for but seems one more error I am getting " Error in 'table' command: Invalid argument: 'CVE Number"..

CVE Number is my column name and table with vulnerabilities which I dont want to be in my search.

Regards,

Neelesh Tiwari

Re: Error in 'lookup' command: Must specify one or more lookup fields.

neelesh_tiwari — Mon, 13 Sep 2021 11:19:54 GMT

I have followed the below article.

https://community.splunk.com/t5/Splunk-Search/Why-am-I-getting-quot-Error-in-inputlookup-command-Invalid/m-p/227023

Added this to my search :

NOT [|inputlookup ignore_cve.csv | fields CVE Number, DateAdded, Reason, CVSS Score]

But again getting this error : Error in 'table' command: Invalid argument: 'DateAdded=2021-09-09'

Re: Error in 'lookup' command: Must specify one or more lookup fields.

s2_splunk — Mon, 13 Sep 2021 16:33:47 GMT

Try adding quotes to that field "CVE Number" name or remove the space from the csv header? Without seeing the exact layout of your csv file and the current query, it's difficult to provide more advice. Maybe share header row and first couple of lines of your csv?

Re: Error in 'lookup' command: Must specify one or more lookup fields.

neelesh_tiwari — Mon, 13 Sep 2021 16:51:25 GMT

@s2_splunk here is the csv file for your reference and also I will try the suggestion, keep you updated.

Re: Error in 'lookup' command: Must specify one or more lookup fields.

neelesh_tiwari — Mon, 13 Sep 2021 16:55:51 GMT

I am sharing the query with you here so kindly advise.

`aws-inspector-findings` serviceAttributes.assessmentRunArn="*" `aws-inspector-rex-arn` | search (accountId="*") (region="*")| dedup arn| search (severity="*")| spath OUTPUT=agentId assetAttributes.agentId | where isnotnull(agentId)| eval CreatedAt=substr(createdAt, 1, 19) | join type="left" serviceAttributes.rulesPackageArn [search `aws-inspector-runs` arn="*" | dedup rulesPackages{}.arn | rename rulesPackages{}.arn as packageArn, rulesPackages{}.name as packageName| eval row=mvzip(packageArn, packageName, "|") | mvexpand row | rex field=row "(?<packageArn>.*?)\|(?<packageName>.*)" | table packageArn packageName | rename packageArn as "serviceAttributes.rulesPackageArn"]| rename packageName as "Rules Package"| eval Links = if(isnotnull(agentId), "<a id=topology_link>Show in Topology</a> | <a id=ec2_link>Show Instance Details</a>", "") | sort -numericSeverity | join agentId type="left" [search earliest=-1d `aws-description-resource((aws_account_id="*"), (region="*") , "*")` | rename id as agentId ] | rename severity as Severity, id as Rule, agentId as "EC2 Instance ID", tags.Name as "EC2 Instance Name"| fillnull value="N/A" | table Severity, "EC2 Instance ID", "EC2 Instance Name", "Rules Package", Rule, CreatedAt, Links, title, description, recommendation, numericSeverity | search NOT [|inputlookup ignore_cve.csv]

Re: Error in 'lookup' command: Must specify one or more lookup fields.

neelesh_tiwari — Mon, 13 Sep 2021 16:56:51 GMT

I have added this " | search NOT [|inputlookup ignore_cve.csv]" but I am still getting all the CVE's which I dont want in my report.

Re: Error in 'lookup' command: Must specify one or more lookup fields.

s2_splunk — Mon, 13 Sep 2021 17:14:38 GMT

What field name from this search do you want to match against which field name in the lookup?

In general:

<yourSearchReturning <matchField>> NOT [| inputlookup lookupfile.csv | fields <fieldToMatch> | rename <fieldToMatch> as <matchField>]

Of course you only have to rename if the field name in your event search is different from the one in the lookup file.

Re: Error in 'lookup' command: Must specify one or more lookup fields.

s2_splunk — Mon, 13 Sep 2021 17:25:58 GMT

What is the field name of the CVE in your event results?

Re: Error in 'lookup' command: Must specify one or more lookup fields.

neelesh_tiwari — Mon, 13 Sep 2021 17:30:54 GMT

Rule is the field name.

Re: Error in 'lookup' command: Must specify one or more lookup fields.

s2_splunk — Mon, 13 Sep 2021 17:39:32 GMT

OK, so rename your field from the lookup to "Rule":

<yourSearch> NOT [|inputlookup ignore_cve.csv | rename "CVE Number" as Rule | fields Rule]

Re: Error in 'lookup' command: Must specify one or more lookup fields.

neelesh_tiwari — Mon, 13 Sep 2021 17:41:35 GMT

I have used this query at the end of the search and it worked.

| join type=left Rule [inputlookup ignore_cve.csv | eval flag="0"] | search NOT(flag=0) | where isnull(flag)

I also tried your option which you have suggested and please find the result below.

NOT [| inputlookup ignore_cve.csv | fields Rule | rename Rule as CVE] but I am still getting the error though I have used "CVE"

Re: Error in 'lookup' command: Must specify one or more lookup fields.

s2_splunk — Mon, 13 Sep 2021 17:55:53 GMT

You need to ensure that the inputlookup subsearch returns a field called "Rule", not CVE.

The field/column you want to match in your lookup is named "CVE Number", so you need to rename that to "Rule" for the NOT condition to work against your events.

NOT [|inputlookup ignore_cve.csv | rename "CVE Number" as Rule | fields Rule]