Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Error in 'lookup' command: Cannot find the source field

ktell
Explorer
‎06-29-2021 01:39 PM

I have a csv lookup table of IP addresses that I want to execute searches on server logs with, but I'm stopped by an error code (title). It tells me the source field (IP) isn't found in the lookup table (IP_lookup), but my lookup definition lists IP as a supported field. I've also tried adding the lookup field through the data model builder (no luck). 

 

Search query is

index="ef" | lookup IP_lookup IP as clientip OUTPUT IP2 as IP Address

 

For context, my lookup table has two duplicate columns of addresses. Any help would be appreciated.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-29-2021 05:35 PM

@ktell can you follow this link and find if csv having any special chars inside - Re: Error in 'lookup' command: Could not find all ... - Splunk Community

Is there lookup definitions already configured in backend props.conf related to same IP_lookup ?

View solution in original post

Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎06-29-2021 03:41 PM

@ktell 

That's strange! can you execute | inputlookup IP_lookup and share the 'field names/columns' exactly as they return they are case sensitive?

You query requires a quotes around something like this -  Share the exact error that you are getting.

index="ef" | lookup IP_lookup IP as clientip OUTPUT IP2 as "IP Address"

Reply
Solved! Jump to solution

ktell
Explorer
‎06-29-2021 03:52 PM

@venkatasri 

 

inputlookup returns IP and IP2 along with all the addresses in 2 columns

 

Full error message reads;

Error in 'lookup' command: Cannot find the source field 'IP' in the lookup table 'IP_lookup'.
 
Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-29-2021 05:35 PM

@ktell can you follow this link and find if csv having any special chars inside - Re: Error in 'lookup' command: Could not find all ... - Splunk Community

Is there lookup definitions already configured in backend props.conf related to same IP_lookup ?

Reply
Solved! Jump to solution

ktell
Explorer
‎07-01-2021 10:00 AM

Thanks for the suggestion, I'm not familiar with vi but I was able to get a clean csv file by avoiding notepad 

0 Karma
Reply
Solved! Jump to solution

ktell
Explorer
‎06-29-2021 05:46 PM

@venkatasri I'm not at my workstation anymore, I'll give your suggestions a try tomorrow or setup one later

0 Karma
Reply
Get Updates on the Splunk Community!

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...

How to send events & findings from AWS to Splunk using Amazon EventBridge

Amazon EventBridge is a serverless service that uses events to connect application components together, making ...

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...
Top