We are on Splunk 6.2.1. This is all in Splunk search...
I have a macro with lookup which works fine in a simple search but when I save the search and attempt to invoke from `| savedsearch ...` I get this error:
Error in 'lookup' command: Could not find all of the specified destination fields in the lookup table.
Details: lookup file my_test.csv like this:
key,value
A,1
B,2
And very simple macro my_macro like this:
lookup my_test.csv key OUTPUT value
And very simple search "my_search" like this:
index=my_index [edited]
| eval key = "A"
| `my_macro`
| table _time key value
So far everything works fine. All rows have key=A, value=1.
When I do:
| savedsearch "my_search"
I get error message:
"Error in 'lookup' command: Could not find all of the specified destination fields in the lookup table."
Job inspector shows eventSearch (only):
search index=my_index [Edited] | eval key = "A"
Any ideas?
↧