Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Error in 'lookup' command: Cannot find the source field

ktell
Explorer
‎06-29-2021 01:39 PM

I have a csv lookup table of IP addresses that I want to execute searches on server logs with, but I'm stopped by an error code (title). It tells me the source field (IP) isn't found in the lookup table (IP_lookup), but my lookup definition lists IP as a supported field. I've also tried adding the lookup field through the data model builder (no luck). 

 

Search query is

index="ef" | lookup IP_lookup IP as clientip OUTPUT IP2 as IP Address

 

For context, my lookup table has two duplicate columns of addresses. Any help would be appreciated.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-29-2021 05:35 PM

@ktell can you follow this link and find if csv having any special chars inside - Re: Error in 'lookup' command: Could not find all ... - Splunk Community

Is there lookup definitions already configured in backend props.conf related to same IP_lookup ?

View solution in original post

Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎06-29-2021 03:41 PM

@ktell 

That's strange! can you execute | inputlookup IP_lookup and share the 'field names/columns' exactly as they return they are case sensitive?

You query requires a quotes around something like this -  Share the exact error that you are getting.

index="ef" | lookup IP_lookup IP as clientip OUTPUT IP2 as "IP Address"

Reply
Solved! Jump to solution

ktell
Explorer
‎06-29-2021 03:52 PM

@venkatasri 

 

inputlookup returns IP and IP2 along with all the addresses in 2 columns

 

Full error message reads;

Error in 'lookup' command: Cannot find the source field 'IP' in the lookup table 'IP_lookup'.
 
Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-29-2021 05:35 PM

@ktell can you follow this link and find if csv having any special chars inside - Re: Error in 'lookup' command: Could not find all ... - Splunk Community

Is there lookup definitions already configured in backend props.conf related to same IP_lookup ?

Reply
Solved! Jump to solution

ktell
Explorer
‎07-01-2021 10:00 AM

Thanks for the suggestion, I'm not familiar with vi but I was able to get a clean csv file by avoiding notepad 

0 Karma
Reply
Solved! Jump to solution

ktell
Explorer
‎06-29-2021 05:46 PM

@venkatasri I'm not at my workstation anymore, I'll give your suggestions a try tomorrow or setup one later

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...