Below is the transforms.conf at $SPLUNK_HOME/etc/local:
And I uploaded test.csv (a csv file only with headers):time,host,foo in Manager > Data Input > Files & Directories > New > upload a local file. Also I have test.csv in $SPLUNK_HOME/etc/system/lookups.
However, when I run below search, I get "Error in 'lookup' command: The lookup table 'test_lookup' does not exist."
index="_*" | head 1 | lookup test_lookup host OUTPUT foo
Any idea why this is happening? I restarted Splunk after I modified transforms.conf. This is on version 4.1.0.
You might find help here
I think the problem is that of the new lookup scoping mechanisms added in 4.1. Adding
to the $splunk_home/etc/system/metadata/local.meta config file should save your day.
View solution in original post
you can also change the permissions from the manager UI for the lookups definitions to "global"