- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Unable to use lookup
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a problem, I configured a lookup table, defined it and set automatic lookup. When i tried to run a simple command sourcetype=csv-20
The error shows "Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'csv-20' and lookup table 'sample_lookups'."
Please correct me if i'm missing something in the configurations.
Note:There are no hidden characters in the lookup file.
props.conf
[csv-20]
KV_MODE = none
REPORT-AutoHeader = AutoHeader-6
SHOULD_LINEMERGE = False
given_type = csv
pulldown_type = true
CHECK_FOR_HEADER = False
LOOKUP-sample_lookups = sample_lookups productId OUTPUTNEW price, description
transforms.conf
[sample_lookups]
filename = sample_lookups.csv
Input file
A1,3
A2,2
A3,7
A4,8
A5,9
Lookup table
productId,price,description
A1,10.0,Bathing_Bar
A2,12.25,Tooth_brush
A3,6.5,Tooth_paste
A4,7.96,deo
A5,12.5,Mars_choco
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess you have mentioned the column name "productId" in your input file. Rest of the things are correctly done.
"|inputcsv input.csv|lookup sample_lookups productId" is giving you the desired result
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess you have mentioned the column name "productId" in your input file. Rest of the things are correctly done.
"|inputcsv input.csv|lookup sample_lookups productId" is giving you the desired result
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
could you write me the query where you are using sourcetype? i may be able to help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
" |inputlookup sample_lookups" command retrieves me with the lookup table with three columns.
But when i run "sourcetype=csv-20" command; the error still shows up.
"Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'csv-20' and lookup table 'sample_lookups'."
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
