Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.

user2020dy
Path Finder
‎10-05-2020 04:54 AM

Hello, guys

Have troubles with the output of lookup command.

I know the right syntax of command:

...| lookup <lookup-table-name> <lookup-field1> AS <event-field1>, <lookup-field2> AS <event-field2> OUTPUTNEW <lookup-destfield1> AS <event-destfield1>, <lookup-destfield2> AS <event-destfield2>

And I`m sure that described fields are in the lookup.

However, I still get this error message. Any idea what it can be?

user2020dy_0-1601898286051.png

P.S. Also tried with OUTPUTNEW, nothing changed

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

user2020dy
Path Finder
‎10-05-2020 05:55 AM

Thanks everybody for help.

I guess the problem was in permissions by the app. The lookup was created within one app and searched whithin another. When I launched the search with |lookup command in the app where the lookup was created, the events appeared.

Still don`t completely understand the reason, because the permissions were set as GLOBAL and the search must work withing any app, where it is launched. But it works 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

user2020dy
Path Finder
‎10-05-2020 05:55 AM

Thanks everybody for help.

I guess the problem was in permissions by the app. The lookup was created within one app and searched whithin another. When I launched the search with |lookup command in the app where the lookup was created, the events appeared.

Still don`t completely understand the reason, because the permissions were set as GLOBAL and the search must work withing any app, where it is launched. But it works 🙂

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-05-2020 05:05 AM

Do you know which lookup is failing? Try removing each lookup until it works. Then check the field names in the lookup that fails to make sure you have them correct in your lookup.

Reply
Solved! Jump to solution

user2020dy
Path Finder
‎10-05-2020 05:16 AM

The | lookup output is absent from the first lookup usage.

Look please at my search, | lookup should add fields dest_depart, src_depart  to my table

But the command doesn`t run

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-05-2020 05:43 AM

By first lookup usage do you mean investigate_domains? If so, could you check the fields you are getting back?

| inputlookup investigate_domains append=t
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...