Splunk Search

Lookup error: Could not find all of the specified lookup fields

emaccaferri
Communicator

Hi!
I'm trying to use lookup table but I get the error I wrote in the title.
My .conf files are

props.conf:

[mobile]
NO_BINARY_CHECK = 1
pulldown_type = 1
REPORT -mobileextract = estrae_mobile
FIELDALIAS-rinominacifn = cif_number AS cif
LOOKUP -table = useragent_lookup  PropertyName AS  useragent OUTPUTNEW Browser As Browser , Version AS Version

transforms.conf

    [estrae_mobile]
DELIMS = "\t"
FIELDS = browser, useragent 


[useragent_lookup]
filename = useragent_lookup.csv

The first two lines of the csv file are in \etc\system\lookups\useragent_lookup.csv

PropertyName;AgentID;MasterParent;LiteMode;Parent;Comments;Browser;Version;MajorVer;MinorVer;Platform;Platform_Version;Platform_Description;Alpha;Beta;Win16;Win32;Win64;Frames;IFrames;Tables;Cookies;BackgroundSounds;JavaScript;VBScript;JavaApplets;ActiveXControls;isMobileDevice;isSyndicationReader;Crawler;CSSVersion;AolVersion;Device_Name;Device_Maker;RenderingEngine_Name;RenderingEngine_Version;RenderingEngine_Description;;

Ask;4163;true;true;Ask;Ask;Ask;0;;0;;0;;false;false;false;false;false;true;true;true;false;false;false;false;false;false;false;false;true;0;0;;;;0;;;

"Mozilla/5.0 (compatible; bingbot/2.*)";11771;false;true;MSN;;BingBot;0;;0;;0;;default;default;default;default;default;default;default;default;default;default;default;default;default;default;default;default;default;0;0;;;;0;;;

I don't find an error, can someone help me?
Thanks

Tags (2)
0 Karma
1 Solution

emaccaferri
Communicator

The error was genereted because my lookup fields were separated by ;

I substituted ; with , and the error was gone.

View solution in original post

emaccaferri
Communicator

The error was genereted because my lookup fields were separated by ;

I substituted ; with , and the error was gone.

ncornejo
New Member

Thanks a lot, I was must read this two hours ago

0 Karma

fabiocaldas
Contributor

Thanks a lot

0 Karma

Ayn
Legend

You have the order incorrect in your lookup statement. Which is completely understandable because the correct order is totally counter-intuitive 🙂

The order should be LOOKUP-blabla = yourlookup fieldinlookup AS fieldinyoursearch

So in your case you have

LOOKUP-table = useragent_lookup  PropertyName AS  useragent ...

When it really should be

LOOKUP-table = useragent_lookup useragent AS PropertyName ...

emaccaferri
Communicator

Can be a csv table problem?

0 Karma

emaccaferri
Communicator

It doesn't work anyway.
Moreover I don't understand: PropertyName is the name of the lookup field I would like to match with my field in the search. I thought the order was right

0 Karma

emaccaferri
Communicator

I checked for hidden characters,nothing. End of line character is unix LF

0 Karma
Get Updates on the Splunk Community!

Customer Experience | Splunk 2024: New Onboarding Resources

In 2023, we were routinely reminded that the digital world is ever-evolving and susceptible to new ...

Celebrate CX Day with Splunk: Take our interactive quiz, join our LinkedIn Live ...

Today and every day, Splunk celebrates the importance of customer experience throughout our product, ...

How to Get Started with Splunk Data Management Pipeline Builders (Edge Processor & ...

If you want to gain full control over your growing data volumes, check out Splunk’s Data Management pipeline ...