Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Lookups not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lookups not working
I am running splunk4.2.2 on Linux servers
On My search-heads under /app/splunk/etc/system/local
props.conf entries
[syslog_vrsn]
TZ = US/Eastern
REPORT-rsysog = rsyslog_extractions
lookup_deparment = IpLookup log_ip OUTPUT dept_name
transforms.conf entries
[rsyslog_extractions]
REGEX = (\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(.*)
FORMAT = log_date::"$1" time::"$2" log_ip::"$3" log_host::"$4" facility::"$5" seveority::"$6" Message::"$12"
WRITE_META = false
Under /app/splunk/etc/system/lookups
IpLookup.csv entries
10.174.27.246,nw_grp_SUCCESS
10.174.159.249,SUCCESS_PENDING
I am still getting The lookup table 'IpLookup' does not exist. It is referenced by configuration 'syslog_vrsn' and Its pointing to Indexers ..I even pushed the same config to Indexers But splunk still says "IpLookup" missining I even copied Iplookup.csv to Iplookup to see If the error clears but No luck ..Any help or any one have this issue ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have already checked those and they show properly
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What are the "sharing permissions" on the objects ?
Can you post an example of the search you are using ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you log into Splunk Web and browse to :
Manager » Lookups » Lookup table files
Manager » Lookups » Lookup definitions
Do you see the lookup definition and lookup file objects and are the sharing permissions set appropriately ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the reply Damien , I tried the file name explicitly but still complains abt "The lookup table 'IpLookup' does not exist. It is referenced by configuration 'syslog_vrsn' "
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this (note, I corrected your "deparment" spelling)
props.conf
LOOKUP-department = IpLookup log_ip OUTPUT dept_name
transforms.conf
[IpLookup]
filename = Iplookup.csv
max_matches = 1
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
