Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.

user2020dy
Path Finder
‎10-05-2020 04:54 AM

Hello, guys

Have troubles with the output of lookup command.

I know the right syntax of command:

...| lookup <lookup-table-name> <lookup-field1> AS <event-field1>, <lookup-field2> AS <event-field2> OUTPUTNEW <lookup-destfield1> AS <event-destfield1>, <lookup-destfield2> AS <event-destfield2>

And I`m sure that described fields are in the lookup.

However, I still get this error message. Any idea what it can be?

user2020dy_0-1601898286051.png

P.S. Also tried with OUTPUTNEW, nothing changed

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

user2020dy
Path Finder
‎10-05-2020 05:55 AM

Thanks everybody for help.

I guess the problem was in permissions by the app. The lookup was created within one app and searched whithin another. When I launched the search with |lookup command in the app where the lookup was created, the events appeared.

Still don`t completely understand the reason, because the permissions were set as GLOBAL and the search must work withing any app, where it is launched. But it works 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

user2020dy
Path Finder
‎10-05-2020 05:55 AM

Thanks everybody for help.

I guess the problem was in permissions by the app. The lookup was created within one app and searched whithin another. When I launched the search with |lookup command in the app where the lookup was created, the events appeared.

Still don`t completely understand the reason, because the permissions were set as GLOBAL and the search must work withing any app, where it is launched. But it works 🙂

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-05-2020 05:05 AM

Do you know which lookup is failing? Try removing each lookup until it works. Then check the field names in the lookup that fails to make sure you have them correct in your lookup.

Reply
Solved! Jump to solution

user2020dy
Path Finder
‎10-05-2020 05:16 AM

The | lookup output is absent from the first lookup usage.

Look please at my search, | lookup should add fields dest_depart, src_depart  to my table

But the command doesn`t run

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-05-2020 05:43 AM

By first lookup usage do you mean investigate_domains? If so, could you check the fields you are getting back?

| inputlookup investigate_domains append=t
Reply
Get Updates on the Splunk Community!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Announcing the General Availability of Splunk Enterprise Security 8.1!

We are pleased to announce the general availability of Splunk Enterprise Security 8.1. Splunk becomes the only ...

Developer Spotlight with William Searle

The Splunk Guy: A Developer’s Path from Web to Cloud William is a Splunk Professional Services Consultant with ...
li.common.scroll-to.top