Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Error 'Could not find all of the specified lookup fields in the lookup table.'

Genti
Splunk Employee
Splunk Employee
‎05-21-2010 09:44 PM

Forwarding a question:

"... attempting to setup a lookup table. Each time I save an automatic lookup it always returns

Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'syslog' and lookup table 'Transponder'.

If I go back and view the automatic lookup, it will have multiple "blank" fields added to it. Each additional save (after deleting the blank fields or otherwise) will result in more blank fields along with the original valid fields..... Eventually the error turns to

Error 'syslog' for conf 'Transponder "" sa_msg_subject AS interface_description OUTPUTNEW "" descr AS transponder' and lookup 'Field names cannot be empty.'.

But this seems like a browser/django malfunction to me, but I was trying to avoid setting up the lookup table using the configs because generally troubleshooting for the first time is even harder.

Can you think of anything stupid I may be doing? I can't find any reference to this error anywhere.

Finally, if my lookup table has a comma as a valid value do I need to escape it? Do your csv's support quoted values? ..."

Thanks, .gz

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎05-21-2010 10:38 PM

What is the lookup command you're using to generate this error.

Do you have somedata.csv stored in $SPLUNK_HOME/etc/system/lookups/ (or in an applicaton's lookups folder) and referenced in transforms.conf... 

[somelookuptable]
filename = somedata.csv

You're right that CSV files used in lookups may have values with commas, provided those values are double quoted (e.g. "last, first" as a value for a field fullName).

View solution in original post

Reply
Solved! Jump to solution
Solution

bwooden
Splunk Employee
Splunk Employee
‎05-21-2010 10:38 PM

What is the lookup command you're using to generate this error.

Do you have somedata.csv stored in $SPLUNK_HOME/etc/system/lookups/ (or in an applicaton's lookups folder) and referenced in transforms.conf... 

[somelookuptable]
filename = somedata.csv

You're right that CSV files used in lookups may have values with commas, provided those values are double quoted (e.g. "last, first" as a value for a field fullName).

Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...