I am running splunk4.2.2 on Linux servers
On My search-heads under /app/splunk/etc/system/local
TZ = US/Eastern
REPORT-rsysog = rsyslog_extractions
lookup_deparment = IpLookup log_ip OUTPUT dept_name
REGEX = (\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(.*)
FORMAT = log_date::"$1" time::"$2" log_ip::"$3" log_host::"$4" facility::"$5" seveority::"$6" Message::"$12"
WRITE_META = false
I am still getting The lookup table 'IpLookup' does not exist. It is referenced by configuration 'syslog_vrsn' and Its pointing to Indexers ..I even pushed the same config to Indexers But splunk still says "IpLookup" missining I even copied Iplookup.csv to Iplookup to see If the error clears but No luck ..Any help or any one have this issue ?
If you log into Splunk Web and browse to :
Manager » Lookups » Lookup table files
Manager » Lookups » Lookup definitions
Do you see the lookup definition and lookup file objects and are the sharing permissions set appropriately ?
Try this (note, I corrected your "deparment" spelling)
LOOKUP-department = IpLookup log_ip OUTPUT dept_name
[IpLookup] filename = Iplookup.csv max_matches = 1