Splunk Search

Lookup error: Could not find all of the specified lookup fields

emaccaferri
Communicator

Hi!
I'm trying to use lookup table but I get the error I wrote in the title.
My .conf files are

props.conf:

[mobile]
NO_BINARY_CHECK = 1
pulldown_type = 1
REPORT -mobileextract = estrae_mobile
FIELDALIAS-rinominacifn = cif_number AS cif
LOOKUP -table = useragent_lookup  PropertyName AS  useragent OUTPUTNEW Browser As Browser , Version AS Version

transforms.conf

    [estrae_mobile]
DELIMS = "\t"
FIELDS = browser, useragent 


[useragent_lookup]
filename = useragent_lookup.csv

The first two lines of the csv file are in \etc\system\lookups\useragent_lookup.csv

PropertyName;AgentID;MasterParent;LiteMode;Parent;Comments;Browser;Version;MajorVer;MinorVer;Platform;Platform_Version;Platform_Description;Alpha;Beta;Win16;Win32;Win64;Frames;IFrames;Tables;Cookies;BackgroundSounds;JavaScript;VBScript;JavaApplets;ActiveXControls;isMobileDevice;isSyndicationReader;Crawler;CSSVersion;AolVersion;Device_Name;Device_Maker;RenderingEngine_Name;RenderingEngine_Version;RenderingEngine_Description;;

Ask;4163;true;true;Ask;Ask;Ask;0;;0;;0;;false;false;false;false;false;true;true;true;false;false;false;false;false;false;false;false;true;0;0;;;;0;;;

"Mozilla/5.0 (compatible; bingbot/2.*)";11771;false;true;MSN;;BingBot;0;;0;;0;;default;default;default;default;default;default;default;default;default;default;default;default;default;default;default;default;default;0;0;;;;0;;;

I don't find an error, can someone help me?
Thanks

Tags (2)
0 Karma
1 Solution

emaccaferri
Communicator

The error was genereted because my lookup fields were separated by ;

I substituted ; with , and the error was gone.

View solution in original post

emaccaferri
Communicator

The error was genereted because my lookup fields were separated by ;

I substituted ; with , and the error was gone.

ncornejo
New Member

Thanks a lot, I was must read this two hours ago

0 Karma

fabiocaldas
Contributor

Thanks a lot

0 Karma

Ayn
Legend

You have the order incorrect in your lookup statement. Which is completely understandable because the correct order is totally counter-intuitive 🙂

The order should be LOOKUP-blabla = yourlookup fieldinlookup AS fieldinyoursearch

So in your case you have

LOOKUP-table = useragent_lookup  PropertyName AS  useragent ...

When it really should be

LOOKUP-table = useragent_lookup useragent AS PropertyName ...

emaccaferri
Communicator

Can be a csv table problem?

0 Karma

emaccaferri
Communicator

It doesn't work anyway.
Moreover I don't understand: PropertyName is the name of the lookup field I would like to match with my field in the search. I thought the order was right

0 Karma

emaccaferri
Communicator

I checked for hidden characters,nothing. End of line character is unix LF

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...