Splunk Search

Why am I getting Invalid lookup table?

szabados
Communicator

I want to use a lookup table, but every time, I add the command to my search "| lookup name_of_my_lookup", I'm getting the "Error in 'lookup' command: The lookup table 'name_of_my_lookup' does not exist or is not available. "

When I try to load the same lookup with "| inputlookup", it works fine, I see all the contents.
I didn't find any more detailed error message.

What am I doing wrong?


Update: without changing anything, the issue is gone now. The lookup works now as expected, but I would be still interested in understanding what went wrong, not to make the same mistake again in the future.

Labels (1)

bwhite
Engager

For future users facing this, this can be caused by leading or trailing white space around the name of either the file or the lookup.  Recreate and see if that fixes it.

0 Karma

the_wolverine
Champion

I've also seen this happen with improperly formatted lookup files where there are missing columns.

Internally, you could search:
index=_internal source="/opt/splunk/var/log/splunk/splunkd.log" lookup table invalid

02-01-2018 15:41:44.309 -0800 WARN  SearchOperator:inputcsv - sid:searchparsetmp_741145440 The lookup table 'mylookup.csv' is invalid.

In this case the lookup file was missing a first column, e,g.

,field2,field3,field4
,cod,fish,tiger
,worm,bat,mouse

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi szabados,
did you get global permissions both to your lookup File and Definitions?
Bye.
Giuseppe

jkat54
SplunkTrust
SplunkTrust

You need to add a lookup definition and make sure the permissions are correct on it. Without the definition you'll have to add .csv to the name when you use it.

Settings -> lookups -> lookup definition

jkat54
SplunkTrust
SplunkTrust

@szabados

It's likely the permissions / configurations hadn't replicated yet.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...