Splunk Search

Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.

user2020dy
Path Finder

Hello, guys

Have troubles with the output of lookup command.

I know the right syntax of command:

...| lookup <lookup-table-name> <lookup-field1> AS <event-field1>, <lookup-field2> AS <event-field2> OUTPUTNEW <lookup-destfield1> AS <event-destfield1>, <lookup-destfield2> AS <event-destfield2>

And I`m sure that described fields are in the lookup.

However, I still get this error message. Any idea what it can be?

user2020dy_0-1601898286051.png

P.S. Also tried with OUTPUTNEW, nothing changed

Labels (2)
0 Karma
1 Solution

user2020dy
Path Finder

Thanks everybody for help.

I guess the problem was in permissions by the app. The lookup was created within one app and searched whithin another. When I launched the search with |lookup command in the app where the lookup was created, the events appeared.

Still don`t completely understand the reason, because the permissions were set as GLOBAL and the search must work withing any app, where it is launched. But it works 🙂

View solution in original post

0 Karma

user2020dy
Path Finder

Thanks everybody for help.

I guess the problem was in permissions by the app. The lookup was created within one app and searched whithin another. When I launched the search with |lookup command in the app where the lookup was created, the events appeared.

Still don`t completely understand the reason, because the permissions were set as GLOBAL and the search must work withing any app, where it is launched. But it works 🙂

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Do you know which lookup is failing? Try removing each lookup until it works. Then check the field names in the lookup that fails to make sure you have them correct in your lookup.

user2020dy
Path Finder

The | lookup output is absent from the first lookup usage.

Look please at my search, | lookup should add fields dest_depart, src_depart  to my table

But the command doesn`t run

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

By first lookup usage do you mean investigate_domains? If so, could you check the fields you are getting back?

| inputlookup investigate_domains append=t
Get Updates on the Splunk Community!

Get Operational Insights Quickly with Natural Language on the Splunk Platform

In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...

What’s New in Splunk Observability Cloud – June 2025

What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...

Almost Too Eventful Assurance: Part 2

Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...