https://community.splunk.com/t5/Dashboards-Visualizations/Streamed-search-execute-failed-because-Error-in-lookup-command/m-p/624744#M51224 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;, It is working fine when i used it at the end.&nbsp; can you explain the logic behind it please.&nbsp;</P><P>Thank you so much for the answer !!</P> Mon, 19 Dec 2022 16:42:04 GMT Varsha1 2022-12-19T16:42:04Z https://community.splunk.com/t5/Dashboards-Visualizations/Streamed-search-execute-failed-because-Error-in-lookup-command/m-p/624717#M51218 <P>Hi All,</P><P>I'm facing issue while appending results for 2 searches using append command.&nbsp;</P><P>I have a 2 search which i'm using to get results and also both query has lookup command to get ip_address details from a lookup .</P><P>Search query1: index=abc filter1=A | eval ..| table * | lookup def host as host OUTPUT ipaddress | stats ..| eval ..</P><P>Query 2:&nbsp;index=abc filter2=B | eval ..| table * | lookup def host as host OUTPUT ipaddress | stats ..| eval ..</P><P>Both searches are almost same except "filter" field and eval commands. And i'm using append command to append results as below:</P><P>index=abc filter1=A | eval ..| table * | lookup def host as host OUTPUT ipaddress | stats ..| eval ..| append&nbsp;<SPAN>[search index=abc filter2=B | eval ..| table * | lookup def host as host OUTPUT ipaddress | stats ..| eval ..]</SPAN></P><P>I'm getting error ([subsearch]: Streamed search execute failed because: Error in 'lookup' command: Could not construct lookup) when running above query and runs fine if i run it seperately.</P><P>Please let me know what i am making wrong.</P><P>&nbsp;</P> Mon, 19 Dec 2022 12:26:47 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Streamed-search-execute-failed-because-Error-in-lookup-command/m-p/624717#M51218 Varsha1 2022-12-19T12:26:47Z https://community.splunk.com/t5/Dashboards-Visualizations/Streamed-search-execute-failed-because-Error-in-lookup-command/m-p/624725#M51219 <P>Subsearches are limited to 50,000 events. Could this be your issue? Could you try with smaller timeframes?</P> Mon, 19 Dec 2022 13:38:04 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Streamed-search-execute-failed-because-Error-in-lookup-command/m-p/624725#M51219 ITWhisperer 2022-12-19T13:38:04Z https://community.splunk.com/t5/Dashboards-Visualizations/Streamed-search-execute-failed-because-Error-in-lookup-command/m-p/624727#M51220 <P>I'm running it for last 60min and it is below 50000 events only</P><P>&nbsp;</P> Mon, 19 Dec 2022 13:46:37 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Streamed-search-execute-failed-because-Error-in-lookup-command/m-p/624727#M51220 Varsha1 2022-12-19T13:46:37Z https://community.splunk.com/t5/Dashboards-Visualizations/Streamed-search-execute-failed-because-Error-in-lookup-command/m-p/624729#M51221 <P>Consider moving the <FONT face="courier new,courier">lookup</FONT> command to after the <FONT face="courier new,courier">append</FONT>.</P><LI-CODE lang="markup">index=abc filter1=A | eval .. | table * | stats .. | eval .. | append [search index=abc filter2=B | eval ..| table * | stats .. | eval .. ] | lookup def host as host OUTPUT ipaddress </LI-CODE><P>&nbsp;</P> Mon, 19 Dec 2022 14:39:26 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Streamed-search-execute-failed-because-Error-in-lookup-command/m-p/624729#M51221 richgalloway 2022-12-19T14:39:26Z https://community.splunk.com/t5/Dashboards-Visualizations/Streamed-search-execute-failed-because-Error-in-lookup-command/m-p/624737#M51222 <P>Most often that message happens when the csv behind the lookup definition is missing. Check that.</P> Mon, 19 Dec 2022 15:36:19 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Streamed-search-execute-failed-because-Error-in-lookup-command/m-p/624737#M51222 starcher 2022-12-19T15:36:19Z https://community.splunk.com/t5/Dashboards-Visualizations/Streamed-search-execute-failed-because-Error-in-lookup-command/m-p/624744#M51224 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp;, It is working fine when i used it at the end.&nbsp; can you explain the logic behind it please.&nbsp;</P><P>Thank you so much for the answer !!</P> Mon, 19 Dec 2022 16:42:04 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Streamed-search-execute-failed-because-Error-in-lookup-command/m-p/624744#M51224 Varsha1 2022-12-19T16:42:04Z https://community.splunk.com/t5/Dashboards-Visualizations/Streamed-search-execute-failed-because-Error-in-lookup-command/m-p/624749#M51225 <P>I wish I had an explanation.&nbsp; You'd have to look at the search log for the failing search to see how that error is triggered.</P><P>Moving the <FONT face="courier new,courier">lookup</FONT> call was mainly a shot in the dark, but also should be more efficient by doing the lookups after the number of events have been reduced by <FONT face="courier new,courier">stats</FONT>.</P> Mon, 19 Dec 2022 17:25:37 GMT https://community.splunk.com/t5/Dashboards-Visualizations/Streamed-search-execute-failed-because-Error-in-lookup-command/m-p/624749#M51225 richgalloway 2022-12-19T17:25:37Z