I previously configured a lookup file to translate windows processes to more user-friendly names. It was working fine all along. A few days ago, I tried adding in more entries for the table, but splunk started returning the following error.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'wmi:localprocesses' and lookup table 'process_lookup'.
I tried re-doing the lookup definition, reverting the lookup file to the original state or even reducing the mapping to just one line. None worked.
Here're the simplified lookup table setup that I am trying now. To make things simple, i changed the mapping to translate the host name into an ip with dummy values instead.
props.conf
[wmi:localprocesses]
LOOKUP-process_lookup = process_lookup host AS host OUTPUTNEW ip AS ip
transforms.conf
[process_lookup]
filename = process_lookup.csv
process_lookup.csv
host,ip
a,b
All the lookup configurations are set with Global permission.
Can anyone advise? Thanks
The problem is resolved by adding an additional column in front of the the existing column. The new column can just contain dummy data. For example
sno,host,ip
1,a,b
But not sure why this can solve the problem.
Another option to just reload, say index=* | extract reload=T and that solved the issue for me.
After installing SplunkforSymantec onto a 6.1.1 environment I had to run the above 'strings' command to fix very similar errors.
I have the same issue in splunk 4.3.2 in Windows Platform.
The answer is even simpler most likely. Just run:
strings lookupfile.csv > newlookup.csv
If you run:
file lookupfile.csv
What is the encoding? Running strings will guarantee that Excel or an OS didn't add weird invisible characters to your lookup file. I have seen this time and time again. Strings will put it into a pure ascii state.
I had the same issue actually, I was using UTF-8 as the encoding (was on Windows, but through notepad). Using wanling's solution did help.
The problem is resolved by adding an additional column in front of the the existing column. The new column can just contain dummy data. For example
sno,host,ip
1,a,b
But not sure why this can solve the problem.
Same problem using 4.3.2, possibly a bug? - not had this issue before.
I had the same problem.. was able to resolve it with this solution as well.
Hello. i had the same problem, but this solution didn't work. ami missing something?
how about the index?