Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.

user2020dy
Path Finder
‎10-05-2020 04:54 AM

Hello, guys

Have troubles with the output of lookup command.

I know the right syntax of command:

...| lookup <lookup-table-name> <lookup-field1> AS <event-field1>, <lookup-field2> AS <event-field2> OUTPUTNEW <lookup-destfield1> AS <event-destfield1>, <lookup-destfield2> AS <event-destfield2>

And I`m sure that described fields are in the lookup.

However, I still get this error message. Any idea what it can be?

user2020dy_0-1601898286051.png

P.S. Also tried with OUTPUTNEW, nothing changed

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

user2020dy
Path Finder
‎10-05-2020 05:55 AM

Thanks everybody for help.

I guess the problem was in permissions by the app. The lookup was created within one app and searched whithin another. When I launched the search with |lookup command in the app where the lookup was created, the events appeared.

Still don`t completely understand the reason, because the permissions were set as GLOBAL and the search must work withing any app, where it is launched. But it works 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

user2020dy
Path Finder
‎10-05-2020 05:55 AM

Thanks everybody for help.

I guess the problem was in permissions by the app. The lookup was created within one app and searched whithin another. When I launched the search with |lookup command in the app where the lookup was created, the events appeared.

Still don`t completely understand the reason, because the permissions were set as GLOBAL and the search must work withing any app, where it is launched. But it works 🙂

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-05-2020 05:05 AM

Do you know which lookup is failing? Try removing each lookup until it works. Then check the field names in the lookup that fails to make sure you have them correct in your lookup.

Reply
Solved! Jump to solution

user2020dy
Path Finder
‎10-05-2020 05:16 AM

The | lookup output is absent from the first lookup usage.

Look please at my search, | lookup should add fields dest_depart, src_depart  to my table

But the command doesn`t run

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-05-2020 05:43 AM

By first lookup usage do you mean investigate_domains? If so, could you check the fields you are getting back?

| inputlookup investigate_domains append=t
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...