Splunk Search

Lookup error: Could not find all of the specified lookup fields

emaccaferri
Communicator

Hi!
I'm trying to use lookup table but I get the error I wrote in the title.
My .conf files are

props.conf:

[mobile]
NO_BINARY_CHECK = 1
pulldown_type = 1
REPORT -mobileextract = estrae_mobile
FIELDALIAS-rinominacifn = cif_number AS cif
LOOKUP -table = useragent_lookup  PropertyName AS  useragent OUTPUTNEW Browser As Browser , Version AS Version

transforms.conf

    [estrae_mobile]
DELIMS = "\t"
FIELDS = browser, useragent 


[useragent_lookup]
filename = useragent_lookup.csv

The first two lines of the csv file are in \etc\system\lookups\useragent_lookup.csv

PropertyName;AgentID;MasterParent;LiteMode;Parent;Comments;Browser;Version;MajorVer;MinorVer;Platform;Platform_Version;Platform_Description;Alpha;Beta;Win16;Win32;Win64;Frames;IFrames;Tables;Cookies;BackgroundSounds;JavaScript;VBScript;JavaApplets;ActiveXControls;isMobileDevice;isSyndicationReader;Crawler;CSSVersion;AolVersion;Device_Name;Device_Maker;RenderingEngine_Name;RenderingEngine_Version;RenderingEngine_Description;;

Ask;4163;true;true;Ask;Ask;Ask;0;;0;;0;;false;false;false;false;false;true;true;true;false;false;false;false;false;false;false;false;true;0;0;;;;0;;;

"Mozilla/5.0 (compatible; bingbot/2.*)";11771;false;true;MSN;;BingBot;0;;0;;0;;default;default;default;default;default;default;default;default;default;default;default;default;default;default;default;default;default;0;0;;;;0;;;

I don't find an error, can someone help me?
Thanks

Tags (2)
0 Karma
1 Solution

emaccaferri
Communicator

The error was genereted because my lookup fields were separated by ;

I substituted ; with , and the error was gone.

View solution in original post

emaccaferri
Communicator

The error was genereted because my lookup fields were separated by ;

I substituted ; with , and the error was gone.

ncornejo
New Member

Thanks a lot, I was must read this two hours ago

0 Karma

fabiocaldas
Contributor

Thanks a lot

0 Karma

Ayn
Legend

You have the order incorrect in your lookup statement. Which is completely understandable because the correct order is totally counter-intuitive 🙂

The order should be LOOKUP-blabla = yourlookup fieldinlookup AS fieldinyoursearch

So in your case you have

LOOKUP-table = useragent_lookup  PropertyName AS  useragent ...

When it really should be

LOOKUP-table = useragent_lookup useragent AS PropertyName ...

emaccaferri
Communicator

Can be a csv table problem?

0 Karma

emaccaferri
Communicator

It doesn't work anyway.
Moreover I don't understand: PropertyName is the name of the lookup field I would like to match with my field in the search. I thought the order was right

0 Karma

emaccaferri
Communicator

I checked for hidden characters,nothing. End of line character is unix LF

0 Karma
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...