Splunk Search

Could not construct lookup

gopenshaw
Explorer

Hi,

I'm having an issue with a splunk lookup and I can't work out what the issue is. I have a lookup file, that among other things contains a mac address field and a hostname field

mac, nt_host
aabbccddeeff, machine1
a1b1c1d1e1f1, machine2

etc.

I then have a search which returns data like the following:

   MAC: AA:BB:CC:DD:EE:FF
   interface: ge-X/X/XX
   switch: SWITCHNAME
   timestamp: 2019-10-14T09:02:02+00:00

I'm trying to match the mac in the lookup table and return the nt_host:

index=os source="logfile" host="logfilehost"
| eval mac = lower(trim(replace(MAC, ":", "")))
| lookup lookupfile mac OUTPUT nt_host

But I get the following error:
Streamed search execute failed because: Error in 'lookup' command: Could not construct lookup 'lookupfile, mac, OUTPUT, dns'. See search.log for more details..

If i run this search it works:

index=os source="logfile" host="logfilehost"
| eval mac = lower(trim(replace(MAC, ":", "")))
| table mac
| lookup lookupfile mac OUTPUT nt_host

but a subsequent stats command then returns the same error again. I'm unsure whats happening here and I see no errors in the search log.

No idea what I'm missing here.

Thanks

0 Karma
1 Solution

gopenshaw
Explorer

I've realised the problem here is that some values in my lookup file are blank which causes the lookup to fail.

View solution in original post

gopenshaw
Explorer

I've realised the problem here is that some values in my lookup file are blank which causes the lookup to fail.

Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...