Hi all, I have a CSV lookup file to map with one field in my indexed data. The search was working perfectly before, but today, my search returned 0 results with this alert:

[hdfsprovider] Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.

This is my search:

 index=skype_session  | rex "FromIPAddr\"\"\:\"\"(?<FromIPAddr>[^\"]+)\"\"\,\"\"ToIPAddr\"\"" |  rex "ToIPAddr\"\"\:\"\"(?<ToIPAddr>[^\"]+)\"\"\,\"\"FromBssid\"\""    | rex "MediaStartTime\"\"\:\"\"(?<MediaStartTime>[^\"]+)\." | rex "MediaEndTime\"\"\:\"\"(?<MediaEndTime>[^\"]+)\." |  rex "(?<FromUri>[a-zA-Z0-9_\-\.]+@[a-zA-Z0-9_\-\.]+\.[a-zA-Z]{2,5})\",\"(?<ToUri>[a-zA-Z0-9_\-\.]+@[a-zA-Z0-9_\-\.]+\.[a-zA-Z]{2,5})" | 
    lookup staff.csv email AS FromUri  | dedup FromUri |  where FromIPAddr!="" | stats count by department | sort - count

staff.csv looks like this (denoted with comma UTF-8): I wanted to check if indexed field FromUri exists in an email field in the lookup, and if yes, output the department field in the lookup.

|email|department|
|--------|-----------------|
|--------|-----------------|
I checked other questions and there are some stating maybe the Splunk version and .conf issues. But I didn't change .conf and my Splunk version is 6.5.2.

Does anyone know how to solve this? Thanks!