Splunk Search

Lookup error: Could not find all of the specified lookup fields

emaccaferri
Communicator

Hi!
I'm trying to use lookup table but I get the error I wrote in the title.
My .conf files are

props.conf:

[mobile]
NO_BINARY_CHECK = 1
pulldown_type = 1
REPORT -mobileextract = estrae_mobile
FIELDALIAS-rinominacifn = cif_number AS cif
LOOKUP -table = useragent_lookup  PropertyName AS  useragent OUTPUTNEW Browser As Browser , Version AS Version

transforms.conf

    [estrae_mobile]
DELIMS = "\t"
FIELDS = browser, useragent 


[useragent_lookup]
filename = useragent_lookup.csv

The first two lines of the csv file are in \etc\system\lookups\useragent_lookup.csv

PropertyName;AgentID;MasterParent;LiteMode;Parent;Comments;Browser;Version;MajorVer;MinorVer;Platform;Platform_Version;Platform_Description;Alpha;Beta;Win16;Win32;Win64;Frames;IFrames;Tables;Cookies;BackgroundSounds;JavaScript;VBScript;JavaApplets;ActiveXControls;isMobileDevice;isSyndicationReader;Crawler;CSSVersion;AolVersion;Device_Name;Device_Maker;RenderingEngine_Name;RenderingEngine_Version;RenderingEngine_Description;;

Ask;4163;true;true;Ask;Ask;Ask;0;;0;;0;;false;false;false;false;false;true;true;true;false;false;false;false;false;false;false;false;true;0;0;;;;0;;;

"Mozilla/5.0 (compatible; bingbot/2.*)";11771;false;true;MSN;;BingBot;0;;0;;0;;default;default;default;default;default;default;default;default;default;default;default;default;default;default;default;default;default;0;0;;;;0;;;

I don't find an error, can someone help me?
Thanks

Tags (2)
0 Karma
1 Solution

emaccaferri
Communicator

The error was genereted because my lookup fields were separated by ;

I substituted ; with , and the error was gone.

View solution in original post

emaccaferri
Communicator

The error was genereted because my lookup fields were separated by ;

I substituted ; with , and the error was gone.

ncornejo
New Member

Thanks a lot, I was must read this two hours ago

0 Karma

fabiocaldas
Contributor

Thanks a lot

0 Karma

Ayn
Legend

You have the order incorrect in your lookup statement. Which is completely understandable because the correct order is totally counter-intuitive 🙂

The order should be LOOKUP-blabla = yourlookup fieldinlookup AS fieldinyoursearch

So in your case you have

LOOKUP-table = useragent_lookup  PropertyName AS  useragent ...

When it really should be

LOOKUP-table = useragent_lookup useragent AS PropertyName ...

emaccaferri
Communicator

Can be a csv table problem?

0 Karma

emaccaferri
Communicator

It doesn't work anyway.
Moreover I don't understand: PropertyName is the name of the lookup field I would like to match with my field in the search. I thought the order was right

0 Karma

emaccaferri
Communicator

I checked for hidden characters,nothing. End of line character is unix LF

0 Karma
Get Updates on the Splunk Community!

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

[Coming Soon] Splunk Observability Cloud - Enhanced navigation with a modern look and ...

We are excited to introduce our enhanced UI that brings together AppDynamics and Splunk Observability. This is ...