Streamed search execute failed because: Error in '...

potluri_88 · ‎01-16-2019

I have defined the below lookup in search app

transforms.conf
[lookup_hosts]
external_type = kvstore
collection = hosts
case_sensitive_match = 1
fields_list = _key,hostname,env,dataCenter,appid,zone,hostname_fwrdr

collections.conf
[hosts]
replicate = true
accelerated_fields.hostname = { "hostname": 1 }
field.env = string
field.appid = string
field.hostname = string
field.dataCenter = string
field.zone = string
field.hostname_fwrdr = string

I have defined below automatic lookup in props.conf against the corresponding sourcetype
[st--acess]
ANNOTATE_PUNCT = false
LOOKUP-hosts = lookup_hosts hostname_fwrdr as host OUTPUTNEW env,dataCenter,hostname,zone

Automatic lookup didn't work and when i tried Searching data from searchhead with below syntax:
sourcetype="st-access"| lookup lookup_hosts hostname_fwrdr as host outputnew env

I got the error as below
2 errors occurred while the search was executing. Therefore, search results might be incomplete. Hide errors.
[idx01] Streamed search execute failed because: Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.
[idx02] Streamed search execute failed because: Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.

Please suggest a way to make this working.

Streamed search execute failed because: Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?