Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is a Splunk search throwing errors on a lookup that isn't being called?

gwalford
Path Finder
‎04-11-2016 10:19 AM

One of my users has a lookup table that they have saved appropriately into their app.

It was running just fine. Now, after the weekend, when you search for anything inside the app, Splunk throws errors about the lookup file, even if you are not calling it.

For example, if you just search for:
index=main

You will get a whole host of errors from the indexers prior to the results that look like this:

[Indexer01] Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'network:firewall' and lookup table 'Network_Hosts_List'.
[Indexer02] Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'network:firewall' and lookup table 'Network_Hosts_List'.
[Indexer03] Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'network:firewall' and lookup table 'Network_Hosts_List'.
[Indexer04] Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'network:firewall' and lookup table 'Network_Hosts_List'.
[Indexer05] Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'network:firewall' and lookup table 'Network_Hosts_List'.
[Indexer06] Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'network:firewall' and lookup table 'Network_Hosts_List'.
[Indexer07] Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'network:firewall' and lookup table 'Network_Hosts_List'.
[Indexer08] Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'network:firewall' and lookup table 'Network_Hosts_List'.
[Indexer09] Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'network:firewall' and lookup table 'Network_Hosts_List'.
[Indexer10] Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'network:firewall' and lookup table 'Network_Hosts_List'.
[Indexer11] Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'network:firewall' and lookup table 'Network_Hosts_List'.
[Indexer12] Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'network:firewall' and lookup table 'Network_Hosts_List'.
[Indexer13] Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'network:firewall' and lookup table 'Network_Hosts_List'.

And so on...........

Why is Splunk throwing errors on a Lookup table that isn't being referenced?

Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-11-2016 01:31 PM

There's a mismatch between an automatic lookup defined for sourcetype=network:firewall and the lookup definition Network_Hosts_List, the automatic lookup is trying to use fields that don't exist in the lookup definition.

Possible reasons include someone changed the "schema" of the lookup file by removing or renaming an essential column, or the entire file could be empty.

These messages are generated because Splunk is preparing its configuration for the search - who knows, an event in index=main might have sourcetype=network:firewall, so Splunk's complaining ahead of time "this isn't going to end well" when the config mismatch was detected.

View solution in original post

Reply
Solved! Jump to solution

Masa
Splunk Employee
Splunk Employee
‎02-01-2017 05:31 PM

Possibly auto-lookup for Network_Hosts_List is enabled for the app you're running the search, while the app/add-on for the lookup is not shared.
Please check and try global permission for the lookup, auto-lookup and the app/add-on and see if the warn message goes away.

0 Karma
Reply
Solved! Jump to solution

PopcornBob
Engager
‎02-01-2017 05:45 AM

Just went through something similar. A useful app is the lookup editor on Splunkbase. It can identify duplicate lookups in different locations. For example: I moved to using an app for my CIDR lookups, and forgot to remove the local subnets.csv from /etc/apps/search/lookups/ on my search head

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-11-2016 01:31 PM

There's a mismatch between an automatic lookup defined for sourcetype=network:firewall and the lookup definition Network_Hosts_List, the automatic lookup is trying to use fields that don't exist in the lookup definition.

Possible reasons include someone changed the "schema" of the lookup file by removing or renaming an essential column, or the entire file could be empty.

These messages are generated because Splunk is preparing its configuration for the search - who knows, an event in index=main might have sourcetype=network:firewall, so Splunk's complaining ahead of time "this isn't going to end well" when the config mismatch was detected.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-11-2016 02:55 PM

Make sure the set of fields in the lookup file lines up with the automatic lookup, and make sure the lookup file and definition are shared at least as wide as the automatic lookup.

0 Karma
Reply
Solved! Jump to solution

gwalford
Path Finder
‎04-11-2016 02:47 PM

The lookup file is intact, it isn't missing any fields.

If I call it like this:
| inputlookup Network_Hosts_List

It returns the .csv properly with no errors.

If I perform any search inside the customers app (except the above) on any index (even internal indexes) the errors pop up in the search. Even if I make sure to select an index that has no events of sourcetype=network:firewall, these errors still pop up.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎04-11-2016 01:07 PM

There could be an automatic lookup.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...