Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.

user2020dy
Path Finder
‎10-05-2020 04:54 AM

Hello, guys

Have troubles with the output of lookup command.

I know the right syntax of command:

...| lookup <lookup-table-name> <lookup-field1> AS <event-field1>, <lookup-field2> AS <event-field2> OUTPUTNEW <lookup-destfield1> AS <event-destfield1>, <lookup-destfield2> AS <event-destfield2>

And I`m sure that described fields are in the lookup.

However, I still get this error message. Any idea what it can be?

user2020dy_0-1601898286051.png

P.S. Also tried with OUTPUTNEW, nothing changed

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

user2020dy
Path Finder
‎10-05-2020 05:55 AM

Thanks everybody for help.

I guess the problem was in permissions by the app. The lookup was created within one app and searched whithin another. When I launched the search with |lookup command in the app where the lookup was created, the events appeared.

Still don`t completely understand the reason, because the permissions were set as GLOBAL and the search must work withing any app, where it is launched. But it works 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

user2020dy
Path Finder
‎10-05-2020 05:55 AM

Thanks everybody for help.

I guess the problem was in permissions by the app. The lookup was created within one app and searched whithin another. When I launched the search with |lookup command in the app where the lookup was created, the events appeared.

Still don`t completely understand the reason, because the permissions were set as GLOBAL and the search must work withing any app, where it is launched. But it works 🙂

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-05-2020 05:05 AM

Do you know which lookup is failing? Try removing each lookup until it works. Then check the field names in the lookup that fails to make sure you have them correct in your lookup.

Reply
Solved! Jump to solution

user2020dy
Path Finder
‎10-05-2020 05:16 AM

The | lookup output is absent from the first lookup usage.

Look please at my search, | lookup should add fields dest_depart, src_depart  to my table

But the command doesn`t run

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-05-2020 05:43 AM

By first lookup usage do you mean investigate_domains? If so, could you check the fields you are getting back?

| inputlookup investigate_domains append=t
Reply
Get Updates on the Splunk Community!

Developer Spotlight with William Searle

The Splunk Guy: A Developer’s Path from Web to Cloud William is a Splunk Professional Services Consultant with ...

Major Splunk Upgrade – Prepare your Environment for Splunk 10 Now!

Attention App Developers: Test Your Apps with the Splunk 10.0 Beta and Ensure Compatibility Before the ...

Stay Connected: Your Guide to June Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...
Top