Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Lookups not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lookups not working
I am running splunk4.2.2 on Linux servers
On My search-heads under /app/splunk/etc/system/local
props.conf entries
[syslog_vrsn]
TZ = US/Eastern
REPORT-rsysog = rsyslog_extractions
lookup_deparment = IpLookup log_ip OUTPUT dept_name
transforms.conf entries
[rsyslog_extractions]
REGEX = (\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(.*)
FORMAT = log_date::"$1" time::"$2" log_ip::"$3" log_host::"$4" facility::"$5" seveority::"$6" Message::"$12"
WRITE_META = false
Under /app/splunk/etc/system/lookups
IpLookup.csv entries
10.174.27.246,nw_grp_SUCCESS
10.174.159.249,SUCCESS_PENDING
I am still getting The lookup table 'IpLookup' does not exist. It is referenced by configuration 'syslog_vrsn' and Its pointing to Indexers ..I even pushed the same config to Indexers But splunk still says "IpLookup" missining I even copied Iplookup.csv to Iplookup to see If the error clears but No luck ..Any help or any one have this issue ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have already checked those and they show properly
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What are the "sharing permissions" on the objects ?
Can you post an example of the search you are using ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you log into Splunk Web and browse to :
Manager » Lookups » Lookup table files
Manager » Lookups » Lookup definitions
Do you see the lookup definition and lookup file objects and are the sharing permissions set appropriately ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply Damien , I tried the file name explicitly but still complains abt "The lookup table 'IpLookup' does not exist. It is referenced by configuration 'syslog_vrsn' "
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this (note, I corrected your "deparment" spelling)
props.conf
LOOKUP-department = IpLookup log_ip OUTPUT dept_name
transforms.conf
[IpLookup]
filename = Iplookup.csv
max_matches = 1
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
