- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- "Error in lookup command" - FlashChart not loading
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"Error in lookup command" - FlashChart not loading
I'm trying to display a chart using FlashChart. When I run the raw query, it works perfectly and displays the chart as I expected. But when I try to render it to a FlashTable I get this error: "400 - Error in lookup command: Could not find all the specified destination fields in lookup table." Also, when I try to render the results to a SimpleResultsTable, I get this error: "The job appears to have expired or has been canceled. Splunk could not retrieve data for this search." which seems like it's just indicating that the search failed.
Here's my XML:
<view autoCancelInterval="90" isVisible="true" onunloadCancelJobs="true" template="dashboard.html">
<label>Alarms</label>
<module name="SideviewUtils" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="TextField" layoutPanel="panel_row1_col1_grp1">
<param name="label">Channel:</param>
<param name="name">channel</param>
<module name="Search" >
<param name="search">
sourcetype="telemetry" chan_name="$channel.value$" | lookup alarm_lookup chan_name OUTPUT red_type, yellow_type, high_red, low_red, high_yellow, low_yellow | eval value=if(eu!="", eu, dn) | eval HIGH_RED=high_red |eval LOW_RED=low_red | eval HIGH_YELLOW=high_yellow | eval LOW_YELLOW=low_yellow | chart first(value) AS Value, first(HIGH_RED) AS HIGH_RED, first(LOW_RED) AS LOW_RED, first(HIGH_YELLOW) AS HIGH_YELLOW, first(LOW_YELLOW) AS LOW_YELLOW by scet
</param>
<module name="HTML">
<param name="html">$search$</param>
</module>
<module name="SimpleResultsTable">
<param name="entityName">results</param>
</module>
<module name="HiddenChartFormatter">
<param name="chart">line</param>
<param name="chartTitle">Channel Values and Alarm Thresholds</param>
<param name="secondaryAxisTitle.text">Value</param>
<param name="legend.placement">right</param>
<module name="JobProgressIndicator"/>
<module name="FlashChart" />
</module>
</module>
</module>
</view>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Matt,
So I set up the sample lookup csv you sent, and I indexed the events you sent over as a csv. Unfortunately I can't find reproduce the problem.
So here's all I can think of:
There is this related question on answers -- http://splunk-base.splunk.com/answers/38321/could-not-find-all-of-the-specified-lookup-fields-in-the... However since your lookup file also contains an empty first field called 'dummy' (which was a suggested fix from that answer), then I suspect you've already come across this. At any rate I would double check the file encoding...
File-encoding issues aside, that error message from the lookup command -- you hit that only if a field is missing from the lookup file completely, and I think that's a clue. ie if you have an OUTPUT field of high_red, to trigger the error you'd have to not only be missing the high_red values from the lookup rows, but you'd have to be missing the high_red column entirely from the whole lookup.... If you are set up with distributed search, I'd triple check the assumptions, like make sure that you have the lookup on the search-head and not on the indexers.
And for what it's worth, even when I play around with your lookup and try and make splunkd give back that error, the only way I can hit it is to have a field that isn't anywhere in there at all, like :
` | lookup alarm_lookup chan_name OUTPUT chicken, red_type
And if it's not file-encoding, or something really weird about distributed search (windows SH and linux indexers??), then you should take the case to a Splunk Support engineer, who are invariably awesome and who will figure it out.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK I sent you the CSV sample. I won't have access to our Splunk instance until Monday, though, so I can't send you sample events until then.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well I'm almost certain we're on the trail of some weird search language or lookup problem. Probably a fixable one. Can you send me some or all of that lookup file, and send me a handful of sample events? I'd like to try and reproduce the problem locally. (nick [at] sideviewapps.com)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The SimpleResultsTable shows the error "The job appears to have expired or has been canceled. Splunk could not retrieve data for this search."
When I run the search manually, it displays the results and renders the table correctly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you try two things to troubleshoot first? If you put a SimpleResultsTable there instead of the FlashChart what does the data look like? And secondly if you run the search manually in the "charting" view does it work there?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I reposted your XML - what happens is that the little 'preview' pane that you see doesn't do a good job of 'previewing'. 😃 So it looks like it wont display the tags in the preview but when you actually submit it they display fine.
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
