Getting Data In

Error 'Could not find all of the specified lookup fields in the lookup table.'

Genti
Splunk Employee
Splunk Employee

Forwarding a question:

"... attempting to setup a lookup table. Each time I save an automatic lookup it always returns

Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'syslog' and lookup table 'Transponder'.

If I go back and view the automatic lookup, it will have multiple "blank" fields added to it. Each additional save (after deleting the blank fields or otherwise) will result in more blank fields along with the original valid fields..... Eventually the error turns to

Error 'syslog' for conf 'Transponder "" sa_msg_subject AS interface_description OUTPUTNEW "" descr AS transponder' and lookup 'Field names cannot be empty.'.

But this seems like a browser/django malfunction to me, but I was trying to avoid setting up the lookup table using the configs because generally troubleshooting for the first time is even harder.

Can you think of anything stupid I may be doing? I can't find any reference to this error anywhere.

Finally, if my lookup table has a comma as a valid value do I need to escape it? Do your csv's support quoted values? ..."

Thanks, .gz

Tags (2)
0 Karma
1 Solution

bwooden
Splunk Employee
Splunk Employee

What is the lookup command you're using to generate this error.

Do you have somedata.csv stored in $SPLUNK_HOME/etc/system/lookups/ (or in an applicaton's lookups folder) and referenced in transforms.conf...

[somelookuptable]
filename = somedata.csv

You're right that CSV files used in lookups may have values with commas, provided those values are double quoted (e.g. "last, first" as a value for a field fullName).

View solution in original post

bwooden
Splunk Employee
Splunk Employee

What is the lookup command you're using to generate this error.

Do you have somedata.csv stored in $SPLUNK_HOME/etc/system/lookups/ (or in an applicaton's lookups folder) and referenced in transforms.conf...

[somelookuptable]
filename = somedata.csv

You're right that CSV files used in lookups may have values with commas, provided those values are double quoted (e.g. "last, first" as a value for a field fullName).

Get Updates on the Splunk Community!

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...