- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Lookup error: Could not find all of the specified ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi!
I'm trying to use lookup table but I get the error I wrote in the title.
My .conf files are
props.conf:
[mobile]
NO_BINARY_CHECK = 1
pulldown_type = 1
REPORT -mobileextract = estrae_mobile
FIELDALIAS-rinominacifn = cif_number AS cif
LOOKUP -table = useragent_lookup PropertyName AS useragent OUTPUTNEW Browser As Browser , Version AS Version
transforms.conf
[estrae_mobile]
DELIMS = "\t"
FIELDS = browser, useragent
[useragent_lookup]
filename = useragent_lookup.csv
The first two lines of the csv file are in \etc\system\lookups\useragent_lookup.csv
PropertyName;AgentID;MasterParent;LiteMode;Parent;Comments;Browser;Version;MajorVer;MinorVer;Platform;Platform_Version;Platform_Description;Alpha;Beta;Win16;Win32;Win64;Frames;IFrames;Tables;Cookies;BackgroundSounds;JavaScript;VBScript;JavaApplets;ActiveXControls;isMobileDevice;isSyndicationReader;Crawler;CSSVersion;AolVersion;Device_Name;Device_Maker;RenderingEngine_Name;RenderingEngine_Version;RenderingEngine_Description;;
Ask;4163;true;true;Ask;Ask;Ask;0;;0;;0;;false;false;false;false;false;true;true;true;false;false;false;false;false;false;false;false;true;0;0;;;;0;;;
"Mozilla/5.0 (compatible; bingbot/2.*)";11771;false;true;MSN;;BingBot;0;;0;;0;;default;default;default;default;default;default;default;default;default;default;default;default;default;default;default;default;default;0;0;;;;0;;;
I don't find an error, can someone help me?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The error was genereted because my lookup fields were separated by ;
I substituted ; with , and the error was gone.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The error was genereted because my lookup fields were separated by ;
I substituted ; with , and the error was gone.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot, I was must read this two hours ago
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks a lot
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have the order incorrect in your lookup statement. Which is completely understandable because the correct order is totally counter-intuitive 🙂
The order should be LOOKUP-blabla = yourlookup fieldinlookup AS fieldinyoursearch
So in your case you have
LOOKUP-table = useragent_lookup PropertyName AS useragent ...
When it really should be
LOOKUP-table = useragent_lookup useragent AS PropertyName ...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can be a csv table problem?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It doesn't work anyway.
Moreover I don't understand: PropertyName is the name of the lookup field I would like to match with my field in the search. I thought the order was right
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I checked for hidden characters,nothing. End of line character is unix LF
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
