Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Streamed search execute failed because: Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.

potluri_88
Explorer
‎01-16-2019 04:18 AM

I have defined the below lookup in search app

transforms.conf
[lookup_hosts]
external_type = kvstore
collection = hosts
case_sensitive_match = 1
fields_list = _key,hostname,env,dataCenter,appid,zone,hostname_fwrdr

collections.conf
[hosts]
replicate = true
accelerated_fields.hostname = { "hostname": 1 }
field.env = string
field.appid = string
field.hostname = string
field.dataCenter = string
field.zone = string
field.hostname_fwrdr = string

I have defined below automatic lookup in props.conf against the corresponding sourcetype
[st--acess]
ANNOTATE_PUNCT = false
LOOKUP-hosts = lookup_hosts hostname_fwrdr as host OUTPUTNEW env,dataCenter,hostname,zone

Automatic lookup didn't work and when i tried Searching data from searchhead with below syntax:
sourcetype="st-access"| lookup lookup_hosts hostname_fwrdr as host outputnew env

I got the error as below
2 errors occurred while the search was executing. Therefore, search results might be incomplete. Hide errors.
[idx01] Streamed search execute failed because: Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.
[idx02] Streamed search execute failed because: Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.

Please suggest a way to make this working.

Tags (1)
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...