Error in 'lookup' command: Could not construct lookup

mansourireza — Wed, 30 Sep 2020 04:48:04 GMT

I have the following scheduled search that updates a lookup (simple_identity_lookup) by adding new entries that aren't already in it.

| datamodel Identity_Management "All_Identities" search 
| `drop_dm_object_name(All_Identities)`
| lookup simple_identity_lookup EmpNo OUTPUT EmpNo AS temp
| where isnull(temp) 
| rename LoginID AS identity, NickName AS nick, FirstName AS first, LastName AS last, Email AS email, Phone AS phone, SupName AS managedBy, DeptName AS bunit, JobTitle AS category, ST AS work_location, Status as status
| table identity, prefix, nick, first, last, suffix, email, phone, managedBy, priority, bunit, category, watchlist, startDate, endDate, EmpNo, work_location, work_country, status
| outputlookup append=true simple_identity_lookup

The search is failing with following error:

Streamed search execute failed because: Error in 'lookup' command: Could not construct lookup 'simple_identity_lookup, EmpNo, OUTPUT, EmpNo, AS, temp'. See search.log for more details.

Looking in the search.log of this search for any errors yielded the following:

03-31-2020 13:44:26.466 WARN  SearchOperator:kv - Regex 'ISQ:.*?(?:[Rr]eleased|[Rr]eleasing) MID' has no capturing groups, transform_name='fields_for_cisco_esa_released'.
03-31-2020 13:44:26.466 WARN  SearchOperator:kv - No valid key names found in FORMAT for transform_name='fields_for_cisco_esa_released'.
03-31-2020 13:44:26.466 WARN  SearchOperator:kv - Invalid key-value parser, ignoring it, transform_name='fields_for_cisco_esa_released'.
03-31-2020 13:44:26.467 WARN  SearchOperator:kv - Regex '(?:ISQ:.*?[Qq]uarantine)' has no capturing groups, transform_name='fields_for_cisco_esa_quarantine'.
03-31-2020 13:44:26.467 WARN  SearchOperator:kv - No valid key names found in FORMAT for transform_name='fields_for_cisco_esa_quarantine'.
03-31-2020 13:44:26.467 WARN  SearchOperator:kv - Invalid key-value parser, ignoring it, transform_name='fields_for_cisco_esa_quarantine'.
03-31-2020 13:44:26.784 WARN  SearchOperator:kv - Invalid key-value parser, ignoring it, transform_name='link_kv_for_ueba'.
03-31-2020 13:44:26.848 ERROR SearchOperator:kv - Cannot compile RE \"(?:\s*'[^']*'|\s*"[^"]*"|\s*[^,]*)\s*(?<Server_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*)\s*(?<Domain>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Server_Name>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*),\s*(?<Event_Description>[^,']*'[^']*'|[^,"]*"[^"]*"|[^,]*)\" for transform 'field_extraction_for_scm_system': Regex: two named subpatterns have the same name (PCRE2_DUPNAMES not set).
03-31-2020 13:44:26.848 WARN  SearchOperator:kv - Invalid key-value parser, ignoring it, transform_name='field_extraction_for_scm_system'.

I am not sure if this is related to search error.

I don't know what's causing the error. The lookup itself works, if I do

| inputlookup simple_identity_lookup

It can pull it up with no errors.

If I remove the OUTPUT portion so it's just

| lookup simple_identity_lookup EmpNo

the same error appears:

Streamed search execute failed because: Error in 'lookup' command: Could not construct lookup 'simple_identity_lookup, EmpNo'. See search.log for more details.

Re: Error in 'lookup' command: Could not construct lookup

to4kawa — Wed, 01 Apr 2020 09:29:52 GMT

Is there EmpNo field?

Re: Error in 'lookup' command: Could not construct lookup

mansourireza — Wed, 01 Apr 2020 15:56:48 GMT

Yes, the field exists in both the lookup and the datamodel

topic Error in 'lookup' command: Could not construct lookup in Splunk Enterprise Security

Error in 'lookup' command: Could not construct lookup

Re: Error in 'lookup' command: Could not construct lookup

Re: Error in 'lookup' command: Could not construct lookup