Splunk Search

Could not find all of the specified lookup fields in the lookup table

wanling
Path Finder

I previously configured a lookup file to translate windows processes to more user-friendly names. It was working fine all along. A few days ago, I tried adding in more entries for the table, but splunk started returning the following error.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'wmi:localprocesses' and lookup table 'process_lookup'.

I tried re-doing the lookup definition, reverting the lookup file to the original state or even reducing the mapping to just one line. None worked.

Here're the simplified lookup table setup that I am trying now. To make things simple, i changed the mapping to translate the host name into an ip with dummy values instead.

props.conf
[wmi:localprocesses]
LOOKUP-process_lookup = process_lookup host AS host OUTPUTNEW ip AS ip

transforms.conf
[process_lookup]
filename = process_lookup.csv

process_lookup.csv
host,ip
a,b

All the lookup configurations are set with Global permission.

Can anyone advise? Thanks

Tags (1)
0 Karma
1 Solution

wanling
Path Finder

The problem is resolved by adding an additional column in front of the the existing column. The new column can just contain dummy data. For example

sno,host,ip
1,a,b

But not sure why this can solve the problem.

View solution in original post

lakshman237
Path Finder

Another option to just reload, say index=* | extract reload=T and that solved the issue for me.

sbarr0
Explorer

After installing SplunkforSymantec onto a 6.1.1 environment I had to run the above 'strings' command to fix very similar errors.

0 Karma

jchen_splunk
Splunk Employee
Splunk Employee

I have the same issue in splunk 4.3.2 in Windows Platform.

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

The answer is even simpler most likely. Just run:

strings lookupfile.csv > newlookup.csv

If you run:

file lookupfile.csv

What is the encoding? Running strings will guarantee that Excel or an OS didn't add weird invisible characters to your lookup file. I have seen this time and time again. Strings will put it into a pure ascii state.

MHibbin
Influencer

I had the same issue actually, I was using UTF-8 as the encoding (was on Windows, but through notepad). Using wanling's solution did help.

0 Karma

wanling
Path Finder

The problem is resolved by adding an additional column in front of the the existing column. The new column can just contain dummy data. For example

sno,host,ip
1,a,b

But not sure why this can solve the problem.

MHibbin
Influencer

Same problem using 4.3.2, possibly a bug? - not had this issue before.

0 Karma

richnavis
Contributor

I had the same problem.. was able to resolve it with this solution as well.

0 Karma

papemalik
Explorer

Hello. i had the same problem, but this solution didn't work. ami missing something?
how about the index?

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...