Splunk Search

Can't get lookup tables to function - Refuse to copy file from unsafe

Explorer

OK, so I've spent a good bit of time trying to implement lookup tables according to the docs, and I'm getting no luck at all. When I try to use the GUI to add a lookup table file, I get the following error:

Encountered the following error while trying to save: In handler 'lookup-table-files': Error performing action=create on object id=ol1.csv in config=lookups.

In the splunkd log, I see:

02-28-2011 11:50:06.127 WARN LookupTableConfPathMapper - Refuse to copy file from unsafe location: /splunk/var/run/splunk/lookup_tmp/ol1.csv.0132362786125 02-28-2011 11:50:06.127 ERROR PropertiesMapConfig - Failed to save settings: /admin/search/lookups/ol1.csv (user: admin, app: search, root: /opt/splunk/etc): Data could not be written: /admin/search/lookups/ol1.csv: /opt/splunk/var/run/splunk/lookup_tmp/ol1.csv.0132362786125 

Putting in modified props.conf and transforms.conf in apps/search/local and putting the file in apps/search/lookups has no effect... no error messages on restart saying they were read and were improper, no visible change to log messages to suggest it worked. btool says the properties were loaded.

props.conf:

[syslog] 
pulldown_type = true 
maxDist = 3 
TIME_FORMAT = %b %d %H:%M:%S 
MAX_TIMESTAMP_LOOKAHEAD = 32 
TRANSFORMS = syslog-host 
REPORT-syslog = syslog-extractions 
SHOULD_LINEMERGE = False 
lookup_orblookup = orblookup Hostname OUTPUTNEW OrganizationCode

transforms.conf:

[orblookup] 
filename = ol1.csv 

head ol1.csv

Hostname,OrganizationCode
hostname1.example.com,Data Warehouse
hostname2.example.com,Data Warehouse
hostname3.example.com,Data Warehouse
hostname4.example.com,Data Warehouse
hostname5.example.com,Infrastructure Operations
Tags (1)
0 Karma

Splunk Employee
Splunk Employee

Have you symlink-ed $SPLUNK_HOME/var out to /splunk/var?

If so, this is a known issue (for internal use: SPL-37310).

0 Karma

Splunk Employee
Splunk Employee

Setting SPLUNK_HOME to /splunk instead of /opt/splunk should fix lookup table upload.

0 Karma

Explorer

I know this is a very old question, but I'm encountering the same issue with Splunk Enterprise 7.2.0. @rgisrael's question describes exactly what I'm struggling with. @ewoo's answer seems to be for a *nix environment. Is there a similar bug/solution for Windows environment?

0 Karma

Explorer

I've symlinked /opt/splunk to /splunk. Where is SPL-37310 documented? I've searched for the error and 'spl-37310' all over splunk.com's websites and in google and haven't come up with anything. Do you know what the workaround is?

0 Karma