Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Error in 'lookup' command: Cannot find the source field

ktell
Explorer
‎06-29-2021 01:39 PM

I have a csv lookup table of IP addresses that I want to execute searches on server logs with, but I'm stopped by an error code (title). It tells me the source field (IP) isn't found in the lookup table (IP_lookup), but my lookup definition lists IP as a supported field. I've also tried adding the lookup field through the data model builder (no luck). 

 

Search query is

index="ef" | lookup IP_lookup IP as clientip OUTPUT IP2 as IP Address

 

For context, my lookup table has two duplicate columns of addresses. Any help would be appreciated.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-29-2021 05:35 PM

@ktell can you follow this link and find if csv having any special chars inside - Re: Error in 'lookup' command: Could not find all ... - Splunk Community

Is there lookup definitions already configured in backend props.conf related to same IP_lookup ?

View solution in original post

Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎06-29-2021 03:41 PM

@ktell 

That's strange! can you execute | inputlookup IP_lookup and share the 'field names/columns' exactly as they return they are case sensitive?

You query requires a quotes around something like this -  Share the exact error that you are getting.

index="ef" | lookup IP_lookup IP as clientip OUTPUT IP2 as "IP Address"

Reply
Solved! Jump to solution

ktell
Explorer
‎06-29-2021 03:52 PM

@venkatasri 

 

inputlookup returns IP and IP2 along with all the addresses in 2 columns

 

Full error message reads;

Error in 'lookup' command: Cannot find the source field 'IP' in the lookup table 'IP_lookup'.
 
Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-29-2021 05:35 PM

@ktell can you follow this link and find if csv having any special chars inside - Re: Error in 'lookup' command: Could not find all ... - Splunk Community

Is there lookup definitions already configured in backend props.conf related to same IP_lookup ?

Reply
Solved! Jump to solution

ktell
Explorer
‎07-01-2021 10:00 AM

Thanks for the suggestion, I'm not familiar with vi but I was able to get a clean csv file by avoiding notepad 

0 Karma
Reply
Solved! Jump to solution

ktell
Explorer
‎06-29-2021 05:46 PM

@venkatasri I'm not at my workstation anymore, I'll give your suggestions a try tomorrow or setup one later

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
Top