Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Streamed search execute failed because: Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.

potluri_88
Explorer
‎01-16-2019 04:18 AM

I have defined the below lookup in search app

transforms.conf
[lookup_hosts]
external_type = kvstore
collection = hosts
case_sensitive_match = 1
fields_list = _key,hostname,env,dataCenter,appid,zone,hostname_fwrdr

collections.conf
[hosts]
replicate = true
accelerated_fields.hostname = { "hostname": 1 }
field.env = string
field.appid = string
field.hostname = string
field.dataCenter = string
field.zone = string
field.hostname_fwrdr = string

I have defined below automatic lookup in props.conf against the corresponding sourcetype
[st--acess]
ANNOTATE_PUNCT = false
LOOKUP-hosts = lookup_hosts hostname_fwrdr as host OUTPUTNEW env,dataCenter,hostname,zone

Automatic lookup didn't work and when i tried Searching data from searchhead with below syntax:
sourcetype="st-access"| lookup lookup_hosts hostname_fwrdr as host outputnew env

I got the error as below
2 errors occurred while the search was executing. Therefore, search results might be incomplete. Hide errors.
[idx01] Streamed search execute failed because: Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.
[idx02] Streamed search execute failed because: Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.

Please suggest a way to make this working.

Tags (1)
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...