https://community.splunk.com/t5/Getting-Data-In/ingest-eval-lookup-example/m-p/538313#M90236 Hi, do you know what made it work for you? I get the same WARN message, but not the error and I think my configuration is similar. I tried placing the lookup file in both the app and system/lookup directory on my indexers. Tue, 02 Feb 2021 17:16:06 GMT tah7004 2021-02-02T17:16:06Z https://community.splunk.com/t5/Getting-Data-In/ingest-eval-lookup-example/m-p/534975#M89745 <P>Hi all,</P><P>I'm trying to ingest data using a lookup like descripted in:&nbsp;</P><P><A href="https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/IngestLookups" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/IngestLookups</A></P><P>props.conf:</P><DIV><DIV><SPAN>[ilookuptest]</SPAN></DIV><DIV><SPAN>TRANSFORMS-a</SPAN><SPAN> = ilookuptest1</SPAN></DIV><DIV><SPAN>TRANSFORMS-b</SPAN><SPAN> = ilookuptest2</SPAN></DIV><DIV>&nbsp;</DIV><DIV><SPAN>transforms.conf:</SPAN></DIV><DIV>&nbsp;</DIV><DIV><DIV><DIV><SPAN>[ilookuptest1]</SPAN></DIV><DIV><SPAN>INGEST_EVAL</SPAN><SPAN> = </SPAN><SPAN>pod</SPAN><SPAN>=</SPAN><SPAN>"testpod1"</SPAN></DIV><BR /><DIV><SPAN>[ilookuptest2]</SPAN></DIV><DIV><SPAN>INGEST_EVAL</SPAN><SPAN>= </SPAN><SPAN>annotation</SPAN><SPAN>=lookup(</SPAN><SPAN>"testlookup.csv"</SPAN><SPAN>, json_object(</SPAN><SPAN>"pod"</SPAN><SPAN>,</SPAN><SPAN>"pod"</SPAN><SPAN>), json_array(</SPAN><SPAN>"annotation"</SPAN><SPAN>)) </SPAN></DIV><DIV>&nbsp;</DIV><DIV><SPAN>lookup testlookup.csv:</SPAN></DIV><DIV>&nbsp;</DIV><DIV><SPAN>pod,annotation<BR />testpod1,testannotation1<BR />testpod2,testannotation2</SPAN></DIV><DIV>&nbsp;</DIV><DIV><SPAN>ingest data using:</SPAN></DIV><DIV><SPAN>curl -k <A href="http://192.168.208.5:8088/services/collector" target="_blank">http://192.168.208.5:8088/services/collector</A> -H 'Authorization: Splunk f05eedbb-a706-427e-9606-baa3e8036411' -d '{"index": "test", "sourcetype": "ilookuptest", "event":"this is for testing ingest eval lookup12"}</SPAN></DIV><DIV>&nbsp;</DIV><DIV><SPAN>props.conf and transforms.conf are located at $SPLUNK_HOME/etc/system/local .. lookup at $SPLUNK_HOME/etc/system/lookups .&nbsp;</SPAN></DIV><DIV>&nbsp;</DIV><DIV><SPAN>I'm getting errors&nbsp; in splunkd.log:</SPAN></DIV><DIV><SPAN><SPAN class="t">WARN</SPAN> <SPAN class="t">CsvDataProvider</SPAN> <SPAN class="t">-</SPAN> <SPAN class="t">No</SPAN> <SPAN class="t">valid</SPAN> <SPAN class="t">lookup</SPAN> <SPAN class="t">table</SPAN> <SPAN class="t">file</SPAN> <SPAN class="t">found</SPAN> <SPAN class="t">for</SPAN> <SPAN class="t">this</SPAN> <SPAN class="t">lookup=testlookup</SPAN></SPAN></DIV><DIV><SPAN><SPAN class="t h">ERROR</SPAN> <SPAN class="t">CsvDataProvider</SPAN> <SPAN class="t">-</SPAN> <SPAN class="t">The</SPAN> <SPAN class="t">lookup</SPAN> <SPAN class="t">table</SPAN> '<SPAN class="t">testlookup</SPAN>' <SPAN class="t">does</SPAN> <SPAN class="t">not</SPAN> <SPAN class="t">exist</SPAN> <SPAN class="t">or</SPAN> <SPAN class="t">is</SPAN> <SPAN class="t">not</SPAN> <SPAN class="t">available.</SPAN></SPAN></DIV><DIV><SPAN><SPAN class="t"><SPAN class="t h">ERROR</SPAN> pipeline - Runtime exception in pipeline=typing processor=regexreplacement error='Invalid function argument' confkey='source::http:test|host::192.168.208.5:8088|ilookuptest|'<BR /><SPAN class="t h">ERROR</SPAN> pipeline - Uncaught exception in pipeline execution (regexreplacement) - getting next event<BR /><BR /></SPAN></SPAN></DIV><DIV>The event is not indexed...</DIV><DIV>&nbsp;</DIV><DIV>When defining transforms.conf<BR /><SPAN>INGEST_EVAL</SPAN><SPAN>= </SPAN><SPAN>annotation</SPAN><SPAN>=lookup(</SPAN><SPAN>"testlookup"</SPAN><SPAN>, json_object(</SPAN><SPAN>"pod"</SPAN><SPAN>,</SPAN><SPAN>"pod"</SPAN><SPAN>), json_array(</SPAN><SPAN>"annotation"</SPAN><SPAN>)) </SPAN></DIV><DIV>&nbsp;</DIV><DIV><SPAN>I'm getting errors in splunkd.log:</SPAN></DIV><DIV><SPAN><SPAN class="t h">WARN</SPAN> <SPAN class="t">CsvDataProvider</SPAN> <SPAN class="t">-</SPAN> <SPAN class="t">Unable</SPAN> <SPAN class="t">to</SPAN> <SPAN class="t">find</SPAN> <SPAN class="t">filename</SPAN> <SPAN class="t">property</SPAN> <SPAN class="t">for</SPAN> <SPAN class="t">lookup=testlookup.csv</SPAN> <SPAN class="t">will</SPAN> <SPAN class="t">attempt</SPAN> <SPAN class="t">to</SPAN> <SPAN class="t">use</SPAN> <SPAN class="t">implicit</SPAN> <SPAN class="t">filename.</SPAN></SPAN></DIV><DIV>&nbsp;</DIV><DIV><SPAN><SPAN class="t">Event is indexed but not getting the value from the lookup.&nbsp;</SPAN></SPAN></DIV><DIV>&nbsp;</DIV><DIV><SPAN><SPAN class="t">File is there, read permissions are set, "| inputlookup testlookup.csv" is displaying results.</SPAN></SPAN></DIV><DIV>&nbsp;</DIV><DIV><SPAN><SPAN class="t">Any hints or a working INGEST_EVAL using lookups example?</SPAN></SPAN></DIV><DIV>&nbsp;</DIV><DIV><SPAN><SPAN class="t">Best Regards,</SPAN></SPAN></DIV><DIV>&nbsp;</DIV><DIV><SPAN><SPAN class="t">Andreas</SPAN></SPAN></DIV></DIV></DIV></DIV> Wed, 06 Jan 2021 17:51:11 GMT https://community.splunk.com/t5/Getting-Data-In/ingest-eval-lookup-example/m-p/534975#M89745 schose 2021-01-06T17:51:11Z https://community.splunk.com/t5/Getting-Data-In/ingest-eval-lookup-example/m-p/535501#M89806 <P>a working transforms.conf:</P><P><SPAN>[ilookuptest1]</SPAN></P><DIV><DIV><SPAN>INGEST_EVAL</SPAN><SPAN> = </SPAN><SPAN>pod</SPAN><SPAN>=</SPAN><SPAN>"testpod1"</SPAN></DIV><BR /><DIV><SPAN>[ilookuptest2]</SPAN></DIV><DIV><SPAN>INGEST_EVAL</SPAN><SPAN>= </SPAN><SPAN>annotation</SPAN><SPAN>=json_extract(lookup(</SPAN><SPAN>"testlookup.csv"</SPAN><SPAN>,json_object(</SPAN><SPAN>"pod"</SPAN><SPAN>,pod), json_array(annotation)),</SPAN><SPAN>"annotation"</SPAN><SPAN><SPAN>)<BR /></SPAN></SPAN></DIV><DIV>&nbsp;</DIV><DIV><SPAN><SPAN>message:<BR /></SPAN></SPAN><DIV><SPAN><SPAN class="t h">WARN</SPAN>&nbsp;<SPAN class="t">CsvDataProvider</SPAN>&nbsp;<SPAN class="t">-</SPAN>&nbsp;<SPAN class="t">Unable</SPAN>&nbsp;<SPAN class="t">to</SPAN>&nbsp;<SPAN class="t">find</SPAN>&nbsp;<SPAN class="t">filename</SPAN>&nbsp;<SPAN class="t">property</SPAN>&nbsp;<SPAN class="t">for</SPAN>&nbsp;<SPAN class="t">lookup=testlookup.csv</SPAN>&nbsp;<SPAN class="t">will</SPAN>&nbsp;<SPAN class="t">attempt</SPAN>&nbsp;<SPAN class="t">to</SPAN>&nbsp;<SPAN class="t">use</SPAN>&nbsp;<SPAN class="t">implicit</SPAN>&nbsp;<SPAN class="t">filename.<BR /><BR />still there, but working.</SPAN></SPAN></DIV><DIV>&nbsp;</DIV><DIV><SPAN><SPAN class="t">Regards,</SPAN></SPAN></DIV><DIV>&nbsp;</DIV><DIV><SPAN><SPAN class="t">Andreas</SPAN></SPAN></DIV></DIV></DIV> Tue, 12 Jan 2021 15:35:45 GMT https://community.splunk.com/t5/Getting-Data-In/ingest-eval-lookup-example/m-p/535501#M89806 schose 2021-01-12T15:35:45Z https://community.splunk.com/t5/Getting-Data-In/ingest-eval-lookup-example/m-p/538313#M90236 Hi, do you know what made it work for you? I get the same WARN message, but not the error and I think my configuration is similar. I tried placing the lookup file in both the app and system/lookup directory on my indexers. Tue, 02 Feb 2021 17:16:06 GMT https://community.splunk.com/t5/Getting-Data-In/ingest-eval-lookup-example/m-p/538313#M90236 tah7004 2021-02-02T17:16:06Z