Splunk Search

Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.

lpolo
Motivator

I created a look up table that does return all the fields if I use the search command:

|inputlookup lookuptable

But I use the lookup command I get the following error:

Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.

This is related to this thread:

http://splunk-base.splunk.com/answers/38321/could-not-find-all-of-the-specified-lookup-fields-in-the...

How can I solve this?

Thanks for your time.
Lp

Tags (1)

lpolo
Motivator

I was able to solve the problem with the following steps:

-. open the lookup file with vi. Then, look for hidden characters ":set list". You should only see this hidden character at the end of line "$". Delete, any hidden character that is not part of your text lookup file. Then, save the file and try to use the lookup command.
-. If the previous step does not fix the problem. cat you csv file. You should only see the text content of the file.

I found this in my csv file:

cat feeds.csv
FeedType,MaxHoursOld

I delete  by deleting "FeedType" and re-writing it. I saved the file and my lookup command worked as it should.

Lp

lpolo
Motivator

The lookup file was initially edit with notepad.

0 Karma

RicoSuave
Builder

Good job! Now the real question is why those characters were added. Are you by chance editing that lookup table with excel or some other app?

0 Karma

lpolo
Motivator

I have tried and it does not work. My file csv is clean. Using vi I checked if there was any hidden character. I could not find any. I just see $ sign at the end of each line.

0 Karma

RicoSuave
Builder

Have you tried the suggested work arounds in the answers link that you posted? Have you checked for hidden characters? Was this lookup table ever working?

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...