Hi,
I have an alert set up to compare hosts with my look-up table .csv file. It was working fine in Splunk 4.3.3 build 128297.
We recently did a failover to Splunk 4.2.1(98164) and I'm not able to recreate this.
This file just won't upload. It gives the following error:
Encountered the following error while trying to save: In handler 'lookup-table-files': Error performing action=create on object id=testfile.csv in config=lookups.
I am a privileged user. I did this without a problem earlier. I asked my admin to upload it, he received the same error. What could be the issue?
edit: Found a difference in where splunk saves the files. (Assume my username as aniketb)
Splunk 4.3.3 saved the lookup to: /opt/splunk/etc/apps/search/lookups/testfile.csv
Splunk 4.2.1 saved to: /opt/splunk/etc/users/aniketb/search/lookups/testfile.csv
Does this point to any error?
This issue happened with me when I've a column that has German letters ü,ß,ä ...
after I removed this column from csv file it uploaded successfully
The scheduled search uses inputlookup.
I'm using this from security point to monitor access by trusted hosts. Since this is a learning phase, after the alerts are flagged, we review if we have to add the flagged ones to the trusted list.
Related to: http://splunk-base.splunk.com/answers/54370/updating-a-lookup-table-by-external-means
What is it that keeps updating the host list? For instance is it a scheduled search that uses the outputlookup command, or is it a script that just writes a new file to disk? I'm wondering if it's some difference around file permissions in lookup handling, between 4.3 and 4.2.X.
Maybe yes but that would be a one time workaround. The host list keeps updating, you can't go to admin every time to upload the lookup. We tried with setting all permissions ON, still got the same error.
Any possible hints to configuration problems?
Can the admin copy the file into the appropriate lookups directory from the command line (Linux, Windows, whatever)?