Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Error 'Could not find all of the specified lookup fields in the lookup table.'

Genti
Splunk Employee
Splunk Employee
‎05-21-2010 09:44 PM

Forwarding a question:

"... attempting to setup a lookup table. Each time I save an automatic lookup it always returns

Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'syslog' and lookup table 'Transponder'.

If I go back and view the automatic lookup, it will have multiple "blank" fields added to it. Each additional save (after deleting the blank fields or otherwise) will result in more blank fields along with the original valid fields..... Eventually the error turns to

Error 'syslog' for conf 'Transponder "" sa_msg_subject AS interface_description OUTPUTNEW "" descr AS transponder' and lookup 'Field names cannot be empty.'.

But this seems like a browser/django malfunction to me, but I was trying to avoid setting up the lookup table using the configs because generally troubleshooting for the first time is even harder.

Can you think of anything stupid I may be doing? I can't find any reference to this error anywhere.

Finally, if my lookup table has a comma as a valid value do I need to escape it? Do your csv's support quoted values? ..."

Thanks, .gz

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎05-21-2010 10:38 PM

What is the lookup command you're using to generate this error.

Do you have somedata.csv stored in $SPLUNK_HOME/etc/system/lookups/ (or in an applicaton's lookups folder) and referenced in transforms.conf... 

[somelookuptable]
filename = somedata.csv

You're right that CSV files used in lookups may have values with commas, provided those values are double quoted (e.g. "last, first" as a value for a field fullName).

View solution in original post

Reply
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎05-21-2010 10:38 PM

What is the lookup command you're using to generate this error.

Do you have somedata.csv stored in $SPLUNK_HOME/etc/system/lookups/ (or in an applicaton's lookups folder) and referenced in transforms.conf... 

[somelookuptable]
filename = somedata.csv

You're right that CSV files used in lookups may have values with commas, provided those values are double quoted (e.g. "last, first" as a value for a field fullName).

Reply
Get Updates on the Splunk Community!

Video | Welcome Back to Smartness, Pedro

Remember Splunk Community member, Pedro Borges? If you tuned into Episode 2 of our Smartness interview series, ...

Detector Best Practices: Static Thresholds

Introduction In observability monitoring, static thresholds are used to monitor fixed, known values within ...

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...