Getting Data In
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Lookups not working
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lookups not working
desi-indian
Path Finder
12-06-2011
11:07 AM
I am running splunk4.2.2 on Linux servers
On My search-heads under /app/splunk/etc/system/local
props.conf entries
[syslog_vrsn]
TZ = US/Eastern
REPORT-rsysog = rsyslog_extractions
lookup_deparment = IpLookup log_ip OUTPUT dept_name
transforms.conf entries
[rsyslog_extractions]
REGEX = (\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(.*)
FORMAT = log_date::"$1" time::"$2" log_ip::"$3" log_host::"$4" facility::"$5" seveority::"$6" Message::"$12"
WRITE_META = false
Under /app/splunk/etc/system/lookups
IpLookup.csv entries
10.174.27.246,nw_grp_SUCCESS
10.174.159.249,SUCCESS_PENDING
I am still getting The lookup table 'IpLookup' does not exist. It is referenced by configuration 'syslog_vrsn' and Its pointing to Indexers ..I even pushed the same config to Indexers But splunk still says "IpLookup" missining I even copied Iplookup.csv to Iplookup to see If the error clears but No luck ..Any help or any one have this issue ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
desi-indian
Path Finder
12-07-2011
01:17 PM
I have already checked those and they show properly
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Damien_Dallimor
Ultra Champion
12-07-2011
06:48 PM
What are the "sharing permissions" on the objects ?
Can you post an example of the search you are using ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Damien_Dallimor
Ultra Champion
12-07-2011
01:03 PM
If you log into Splunk Web and browse to :
Manager » Lookups » Lookup table files
Manager » Lookups » Lookup definitions
Do you see the lookup definition and lookup file objects and are the sharing permissions set appropriately ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
desi-indian
Path Finder
12-07-2011
10:07 AM
Thanks for the reply Damien , I tried the file name explicitly but still complains abt "The lookup table 'IpLookup' does not exist. It is referenced by configuration 'syslog_vrsn' "
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Damien_Dallimor
Ultra Champion
12-06-2011
11:43 AM
Try this (note, I corrected your "deparment" spelling)
props.conf
LOOKUP-department = IpLookup log_ip OUTPUT dept_name
transforms.conf
[IpLookup]
filename = Iplookup.csv
max_matches = 1
Get Updates on the Splunk Community!
Exciting News: The AppDynamics Community Joins Splunk!
Hello Splunkers,
I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...
The All New Performance Insights for Splunk
Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...
Good Sourcetype Naming
When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...
