Splunk Search

Lookup Table Problem

sjlin
Explorer

Hi, I have a problem when using lookup function in Splunk.

I am using a lookup table in C:\Program Files\Splunk\etc\users\admin\MyApp\lookups\lookuptable.csv and Lookup table name is "lookuptable"
But if I want to add or change some data into lookuptable.csv

when I search "| inputlookup lookuptable", I get the following error

File 'C:\Program Files\Splunk\etc\users\admin\MyApp\lookups\lookuptable.csv' could not be opened for reading.

I am wondering if anyone can help. Thanks a lot.

PS, Can anyone tell me when I import lookuptable.csv into Splunk, why C:\Program Files\Splunk\etc\users\admin\MyApp\lookups\lookuptable.csv have a blank row between every original row?

Tags (1)
0 Karma

sjlin
Explorer

To linu1988:
Yes, but after I delete the lookup in Manager/lookup table, I add the lookup table again, and then the lookup file is inside the folder: \etc\users\admin\MyApp\lookups

Sorry, How can I know if splunk has read access to the lookup table?

0 Karma

lguinn2
Legend

The docs say "The CSV files used as lookups must be created with UNIX-style line endings." This may also be your problem; there are utilities which can correct line-ending problems. You might find the dos2unix utility helpful.

0 Karma

lguinn2
Legend

@linu1988 It looks like this lookup table is private, based on the file location.

0 Karma

linu1988
Champion

It means the file name is wrong in the transforms.conf or the file is locked by some other process or splunk doesn't have read access to the location. try these options should resolve the issue.

And i thought the lookup files should be inside the \etc\apps\app_name\lookups folder, Isn't it?

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...