Splunk Search

Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.

lpolo
Motivator

I created a look up table that does return all the fields if I use the search command:

|inputlookup lookuptable

But I use the lookup command I get the following error:

Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.

This is related to this thread:

http://splunk-base.splunk.com/answers/38321/could-not-find-all-of-the-specified-lookup-fields-in-the...

How can I solve this?

Thanks for your time.
Lp

Tags (1)

lpolo
Motivator

I was able to solve the problem with the following steps:

-. open the lookup file with vi. Then, look for hidden characters ":set list". You should only see this hidden character at the end of line "$". Delete, any hidden character that is not part of your text lookup file. Then, save the file and try to use the lookup command.
-. If the previous step does not fix the problem. cat you csv file. You should only see the text content of the file.

I found this in my csv file:

cat feeds.csv
FeedType,MaxHoursOld

I delete  by deleting "FeedType" and re-writing it. I saved the file and my lookup command worked as it should.

Lp

lpolo
Motivator

The lookup file was initially edit with notepad.

0 Karma

RicoSuave
Builder

Good job! Now the real question is why those characters were added. Are you by chance editing that lookup table with excel or some other app?

0 Karma

lpolo
Motivator

I have tried and it does not work. My file csv is clean. Using vi I checked if there was any hidden character. I could not find any. I just see $ sign at the end of each line.

0 Karma

RicoSuave
Builder

Have you tried the suggested work arounds in the answers link that you posted? Have you checked for hidden characters? Was this lookup table ever working?

0 Karma
Get Updates on the Splunk Community!

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...

Almost Too Eventful Assurance: Part 1

Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...