Getting Data In

Error 'Could not find all of the specified lookup fields in the lookup table.'

Genti
Splunk Employee
Splunk Employee

Forwarding a question:

"... attempting to setup a lookup table. Each time I save an automatic lookup it always returns

Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'syslog' and lookup table 'Transponder'.

If I go back and view the automatic lookup, it will have multiple "blank" fields added to it. Each additional save (after deleting the blank fields or otherwise) will result in more blank fields along with the original valid fields..... Eventually the error turns to

Error 'syslog' for conf 'Transponder "" sa_msg_subject AS interface_description OUTPUTNEW "" descr AS transponder' and lookup 'Field names cannot be empty.'.

But this seems like a browser/django malfunction to me, but I was trying to avoid setting up the lookup table using the configs because generally troubleshooting for the first time is even harder.

Can you think of anything stupid I may be doing? I can't find any reference to this error anywhere.

Finally, if my lookup table has a comma as a valid value do I need to escape it? Do your csv's support quoted values? ..."

Thanks, .gz

Tags (2)
0 Karma
1 Solution

bwooden
Splunk Employee
Splunk Employee

What is the lookup command you're using to generate this error.

Do you have somedata.csv stored in $SPLUNK_HOME/etc/system/lookups/ (or in an applicaton's lookups folder) and referenced in transforms.conf...

[somelookuptable]
filename = somedata.csv

You're right that CSV files used in lookups may have values with commas, provided those values are double quoted (e.g. "last, first" as a value for a field fullName).

View solution in original post

bwooden
Splunk Employee
Splunk Employee

What is the lookup command you're using to generate this error.

Do you have somedata.csv stored in $SPLUNK_HOME/etc/system/lookups/ (or in an applicaton's lookups folder) and referenced in transforms.conf...

[somelookuptable]
filename = somedata.csv

You're right that CSV files used in lookups may have values with commas, provided those values are double quoted (e.g. "last, first" as a value for a field fullName).

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...