OK, so I've spent a good bit of time trying to implement lookup tables according to the docs, and I'm getting no luck at all. When I try to use the GUI to add a lookup table file, I get the following error:
Encountered the following error while trying to save: In handler 'lookup-table-files': Error performing action=create on object id=ol1.csv in config=lookups.
In the splunkd log, I see:
02-28-2011 11:50:06.127 WARN LookupTableConfPathMapper - Refuse to copy file from unsafe location: /splunk/var/run/splunk/lookup_tmp/ol1.csv.0132362786125 02-28-2011 11:50:06.127 ERROR PropertiesMapConfig - Failed to save settings: /admin/search/lookups/ol1.csv (user: admin, app: search, root: /opt/splunk/etc): Data could not be written: /admin/search/lookups/ol1.csv: /opt/splunk/var/run/splunk/lookup_tmp/ol1.csv.0132362786125
Putting in modified props.conf and transforms.conf in apps/search/local and putting the file in apps/search/lookups has no effect... no error messages on restart saying they were read and were improper, no visible change to log messages to suggest it worked. btool says the properties were loaded.
props.conf:
[syslog]
pulldown_type = true
maxDist = 3
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 32
TRANSFORMS = syslog-host
REPORT-syslog = syslog-extractions
SHOULD_LINEMERGE = False
lookup_orblookup = orblookup Hostname OUTPUTNEW OrganizationCode
transforms.conf:
[orblookup]
filename = ol1.csv
head ol1.csv
Hostname,OrganizationCode
hostname1.example.com,Data Warehouse
hostname2.example.com,Data Warehouse
hostname3.example.com,Data Warehouse
hostname4.example.com,Data Warehouse
hostname5.example.com,Infrastructure Operations
Have you symlink-ed $SPLUNK_HOME/var out to /splunk/var?
If so, this is a known issue (for internal use: SPL-37310).
Setting SPLUNK_HOME to /splunk instead of /opt/splunk should fix lookup table upload.
I know this is a very old question, but I'm encountering the same issue with Splunk Enterprise 7.2.0. @rgisrael's question describes exactly what I'm struggling with. @ewoo's answer seems to be for a *nix environment. Is there a similar bug/solution for Windows environment?
I've symlinked /opt/splunk to /splunk. Where is SPL-37310 documented? I've searched for the error and 'spl-37310' all over splunk.com's websites and in google and haven't come up with anything. Do you know what the workaround is?