Solved: Re: Inputlookup subsearch shows invalid lookup

mdsnmss · ‎07-21-2017

I have a user who is receiving the error:

No matching fields exist [subsearch]: The lookup table <-lookup>.csv is invalid.

This is the result of the line: | JOIN <field> [inputlookup <lookup>.csv]

The search itself runs successfully with multiple other accounts so I am assuming it is a permissions issue. I have gone into the lookup table and definition and both are shared globally and have the user listed with read access. I've also confirmed the field referenced in the join is in both the lookup table and definition.

Any idea why it is not allowing this user to run the search?

mdsnmss · ‎07-25-2017

Kept troubleshooting and it was a permissions issue. The account needed access to the index, the lookup table, and the app the lookup table was in. We had the first two and with the lookup table shared globally and permissions granted to the user for read access to it thought it should work outside of the app context. Adding read access to the app it was contained in allowed the search to run.

View solution in original post

mdsnmss · ‎07-25-2017

Kept troubleshooting and it was a permissions issue. The account needed access to the index, the lookup table, and the app the lookup table was in. We had the first two and with the lookup table shared globally and permissions granted to the user for read access to it thought it should work outside of the app context. Adding read access to the app it was contained in allowed the search to run.

sbbadri · ‎07-21-2017

try below

| JOIN [|inputlookup .csv]

i think your are missing pipe in fornt of inputlookup

mdsnmss · ‎07-21-2017

It works with or without the pipe for my account.

Inputlookup subsearch shows invalid lookup

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!