Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Error in 'lookup' command: Cannot find the source field

ktell
Explorer
‎06-29-2021 01:39 PM

I have a csv lookup table of IP addresses that I want to execute searches on server logs with, but I'm stopped by an error code (title). It tells me the source field (IP) isn't found in the lookup table (IP_lookup), but my lookup definition lists IP as a supported field. I've also tried adding the lookup field through the data model builder (no luck). 

 

Search query is

index="ef" | lookup IP_lookup IP as clientip OUTPUT IP2 as IP Address

 

For context, my lookup table has two duplicate columns of addresses. Any help would be appreciated.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-29-2021 05:35 PM

@ktell can you follow this link and find if csv having any special chars inside - Re: Error in 'lookup' command: Could not find all ... - Splunk Community

Is there lookup definitions already configured in backend props.conf related to same IP_lookup ?

View solution in original post

Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎06-29-2021 03:41 PM

@ktell 

That's strange! can you execute | inputlookup IP_lookup and share the 'field names/columns' exactly as they return they are case sensitive?

You query requires a quotes around something like this -  Share the exact error that you are getting.

index="ef" | lookup IP_lookup IP as clientip OUTPUT IP2 as "IP Address"

Reply
Solved! Jump to solution

ktell
Explorer
‎06-29-2021 03:52 PM

@venkatasri 

 

inputlookup returns IP and IP2 along with all the addresses in 2 columns

 

Full error message reads;

Error in 'lookup' command: Cannot find the source field 'IP' in the lookup table 'IP_lookup'.
 
Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-29-2021 05:35 PM

@ktell can you follow this link and find if csv having any special chars inside - Re: Error in 'lookup' command: Could not find all ... - Splunk Community

Is there lookup definitions already configured in backend props.conf related to same IP_lookup ?

Reply
Solved! Jump to solution

ktell
Explorer
‎07-01-2021 10:00 AM

Thanks for the suggestion, I'm not familiar with vi but I was able to get a clean csv file by avoiding notepad 

0 Karma
Reply
Solved! Jump to solution

ktell
Explorer
‎06-29-2021 05:46 PM

@venkatasri I'm not at my workstation anymore, I'll give your suggestions a try tomorrow or setup one later

0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...