Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Error in 'lookup' command: Cannot find the source field

ktell
Explorer
‎06-29-2021 01:39 PM

I have a csv lookup table of IP addresses that I want to execute searches on server logs with, but I'm stopped by an error code (title). It tells me the source field (IP) isn't found in the lookup table (IP_lookup), but my lookup definition lists IP as a supported field. I've also tried adding the lookup field through the data model builder (no luck). 

 

Search query is

index="ef" | lookup IP_lookup IP as clientip OUTPUT IP2 as IP Address

 

For context, my lookup table has two duplicate columns of addresses. Any help would be appreciated.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-29-2021 05:35 PM

@ktell can you follow this link and find if csv having any special chars inside - Re: Error in 'lookup' command: Could not find all ... - Splunk Community

Is there lookup definitions already configured in backend props.conf related to same IP_lookup ?

View solution in original post

Reply
Solved! Jump to solution

venkatasri
SplunkTrust
SplunkTrust
‎06-29-2021 03:41 PM

@ktell 

That's strange! can you execute | inputlookup IP_lookup and share the 'field names/columns' exactly as they return they are case sensitive?

You query requires a quotes around something like this -  Share the exact error that you are getting.

index="ef" | lookup IP_lookup IP as clientip OUTPUT IP2 as "IP Address"

Reply
Solved! Jump to solution

ktell
Explorer
‎06-29-2021 03:52 PM

@venkatasri 

 

inputlookup returns IP and IP2 along with all the addresses in 2 columns

 

Full error message reads;

Error in 'lookup' command: Cannot find the source field 'IP' in the lookup table 'IP_lookup'.
 
Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎06-29-2021 05:35 PM

@ktell can you follow this link and find if csv having any special chars inside - Re: Error in 'lookup' command: Could not find all ... - Splunk Community

Is there lookup definitions already configured in backend props.conf related to same IP_lookup ?

Reply
Solved! Jump to solution

ktell
Explorer
‎07-01-2021 10:00 AM

Thanks for the suggestion, I'm not familiar with vi but I was able to get a clean csv file by avoiding notepad 

0 Karma
Reply
Solved! Jump to solution

ktell
Explorer
‎06-29-2021 05:46 PM

@venkatasri I'm not at my workstation anymore, I'll give your suggestions a try tomorrow or setup one later

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Heading to your first .Conf? You’re in for an unforgettable ride — learning, networking, swag collecting, ...

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Calling all Splunk developers, custom SPL builders, dashboarders, and Splunkbase app creators – the Builder ...

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Are you ready to take your threat hunting skills to the next level? As Splunk community members, you know the ...
Top