- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Lookup upload Error
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lookup upload Error
Hi,
I have an alert set up to compare hosts with my look-up table .csv file. It was working fine in Splunk 4.3.3 build 128297.
We recently did a failover to Splunk 4.2.1(98164) and I'm not able to recreate this.
This file just won't upload. It gives the following error:
Encountered the following error while trying to save: In handler 'lookup-table-files': Error performing action=create on object id=testfile.csv in config=lookups.
I am a privileged user. I did this without a problem earlier. I asked my admin to upload it, he received the same error. What could be the issue?
edit: Found a difference in where splunk saves the files. (Assume my username as aniketb)
Splunk 4.3.3 saved the lookup to: /opt/splunk/etc/apps/search/lookups/testfile.csv
Splunk 4.2.1 saved to: /opt/splunk/etc/users/aniketb/search/lookups/testfile.csv
Does this point to any error?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This issue happened with me when I've a column that has German letters ü,ß,ä ...
after I removed this column from csv file it uploaded successfully
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The scheduled search uses inputlookup.
I'm using this from security point to monitor access by trusted hosts. Since this is a learning phase, after the alerts are flagged, we review if we have to add the flagged ones to the trusted list.
Related to: http://splunk-base.splunk.com/answers/54370/updating-a-lookup-table-by-external-means
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is it that keeps updating the host list? For instance is it a scheduled search that uses the outputlookup command, or is it a script that just writes a new file to disk? I'm wondering if it's some difference around file permissions in lookup handling, between 4.3 and 4.2.X.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe yes but that would be a one time workaround. The host list keeps updating, you can't go to admin every time to upload the lookup. We tried with setting all permissions ON, still got the same error.
Any possible hints to configuration problems?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can the admin copy the file into the appropriate lookups directory from the command line (Linux, Windows, whatever)?
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
