Hello
I am running the following search with the end aim of using the 'map' functionality to plot the results but when I run the query an error is returned advising
Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.
The search I am running is
sourcetype="netscaler" | iplocation IPADDRESS | eval GeoLocation=case(Country="Australia", "Views from Australia", Country!="Australia", "International Views") | search GeoLocation="Views from Australia" NOT City="" OR Country="" | eval City=Upper(City) | lookup geoLocations_lookup City OUTPUT lat lon
I have verified that the lookup table is correct and it can be viewed using the | inputlookup call.
If I remove the lookup and run the query all works and the 'City' information is returned. I can then run further searches using City=XXXXX so it must be picking up the City name/value correctly so I am puzzled as to why the search fails using the lookup command.
Any help would be greatly appreciated.
Ps.. I know there is a Google Maps App but that is also giving us grief running in a distributed environment so I am hoping to use the above as an alternative.
Cheers,
Alastair
