I want to use a lookup table, but every time, I add the command to my search "| lookup nameofmylookup", I'm getting the "Error in 'lookup' command: The lookup table 'nameofmylookup' does not exist or is not available. "
When I try to load the same lookup with "| inputlookup", it works fine, I see all the contents.
I didn't find any more detailed error message.
What am I doing wrong?
Update: without changing anything, the issue is gone now. The lookup works now as expected, but I would be still interested in understanding what went wrong, not to make the same mistake again in the future.
I've also seen this happen with improperly formatted lookup files where there are missing columns.
Internally, you could search:
index=_internal source="/opt/splunk/var/log/splunk/splunkd.log" lookup table invalid
02-01-2018 15:41:44.309 -0800 WARN SearchOperator:inputcsv - sid:searchparsetmp_741145440 The lookup table 'mylookup.csv' is invalid.
In this case the lookup file was missing a first column, e,g.
You need to add a lookup definition and make sure the permissions are correct on it. Without the definition you'll have to add .csv to the name when you use it.
Settings -> lookups -> lookup definition