Splunk Search

Why am I receiving this lookup error?

jip31
Motivator

hi

When I call the lookup like below it works fine

 

 

| inputlookup test.csv

 

 

but when I use the lookup in a search I have the message below

 

 

Error in 'lookup' command: Could not construct lookup

 

 

here is the lookup

jip31_0-1652169282091.png

 what I have to do please?

Labels (1)
Tags (1)
0 Karma

jip31
Motivator

Is anybody can help please?

0 Karma

jip31
Motivator

is anybody can explain me what is wrong in my csv please?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Have you tried using "AS" instead of "as" in your lookup command?

0 Karma

jip31
Motivator

it changes nothing, same message and same result

If you look at the error message, i think the csv is not interpreted correctly because you can see the fields are not separated correctly

Could not construct lookup 'debit.csv, entite, AS, site, output, sam, espace

But I dont understand what is wrong because when I am doing | inputlookup debit.csv, the data are correctly displayed

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What do you get when you do this:

| inputlookup deb.csv
0 Karma

jip31
Motivator

At the beginning it was working but when I executed the search, I did have the message below

Error in 'lookup' command: Could not construct lookup

 But now when I try to upload the file, Splunk tells me

The lookup table 'debit.csv' requires a .csv or KV store lookup definition.

Here is the csv

https://www.cjoint.com/c/LElp7nHLilB

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Looks like you need to address that error! 😀

0 Karma

jip31
Motivator

What do you mean exactly ?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Thoroughly check your definitions to see if everything is correct - you could try recreating the key store to see if that fixes your issue.

0 Karma

jip31
Motivator

I done it and now | inputlookup deb.csv works fine

But when I run my searches the lookup doesnt works with 2 different case

If I run this, I have no error but the csv is not taken into account

| lookup deb.csv sam espace as site output entite debit
| stats last(site) as "Espace" by sam 

 And if I run this, I have the message "Error in 'lookup' command: Could not construct lookup"

| lookup deb.csv espace as site output entite debit sam
| stats last(site) as "Espace" by sam 

 There is no empty fields in the csv

https://www.cjoint.com/c/LElp7nHLilB

What is wrong please?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

sam doesn't exist in the csv list you provided but I suspect that's just a typo as you would have got a different error otherwise.

How big is your csv file?

What does the job inspector report?

0 Karma

jip31
Motivator

sam is the CSV example correspond to "s" field

the csv size is 4 ko

here is some info from the job inspector

jip31_0-1652343769181.png

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Can you complete the picture with the search or at least the line you used in the search which is giving you this error?

0 Karma

gcusello
Legend

Hi @jip31,

did you created the lookup definition? {settings -- Lookups -- Lookup Definitions]

Ciao.

Giuseppe

0 Karma

jip31
Motivator

hello

yes

0 Karma

gcusello
Legend

Hi @jip31,

could you share your search and the conf files containing the lookup?

Ciao.

Giuseppe

0 Karma

jip31
Motivator

Hi

Here is the csv

jip31_0-1652201921860.png

and the search

| lookup deb.csv entite as site output s espace
| stats last(site) as site, last(espace) as espace by s

 

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>