Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Lookups aren't available until Splunk is restarted

jambajuice
Communicator
‎02-06-2011 01:19 AM

I've built an app that uses over twenty lookup tables. I deleted them all and have been trying to test and document the process of building all of the tables. After building the first lookup table, I've tried running other saved searches that use that table for a lookup. The search always says that the lookup table is not available.

I see the lookup table in the appname/lookups folder and it contains the right data. If I restart Splunk, the search completes as expected.

Is there any way to make Splunk see a new lookup table without restarting?

Thx.

Craig

Tags (1)
Reply

Ron_Naken
Splunk Employee
Splunk Employee
‎02-06-2011 03:37 AM

It sounds as if your lookup is being loaded fine without restarting, since you're receiving the error message. I would bet that this issue is one of context, where you're attempting to use the lookup from an app (i.e. Search app) other than the one where it's defined (i.e. MyCustomLookupApp). You need to set permissions to use the lookup outside the context of the app in which it is defined.

It's easiest to understand where the permissions need to be set by walking through a UI-configured lookup. You can build your lookups through the UI in Manager-->Lookups. There is a tutorial here: http://www.splunk.com/base/Documentation/4.1.6/User/Fieldlookupstutorial

Using this method to configure a lookup will alleviate any doubt that you need to restart and help to identify each place where permissions need to be set. (i.e. Table File, Definitions, Automatic Lookup).

HTH
ron

Reply

Lowell
Super Champion
‎02-07-2011 04:18 PM

Ron, I agree that getting the permissions all setup properly can be an issue, and it's often difficult to find which piece is missing. But I too have seen some situation where it appears that the only "solution" to getting a lookup working properly, is to restart splunkd like jambajuice is asking about. There does seems to be something glitchy about this, but I haven't taken the time to track it down precisely.

0 Karma
Reply

Ron_Naken
Splunk Employee
Splunk Employee
‎02-06-2011 11:26 PM

I tried this in the lab and noticed that when I add props/transforms to do the lookup, I don't get a UI entry for Definitions, but I get one for Lookup and File -- I receive the same error. Adding the Definition in the UI fixed the issue, but it didn't make any change to props or tranforms.

0 Karma
Reply

jambajuice
Communicator
‎02-06-2011 05:22 AM

The permissions on the lookup tables currently show all apps, though I haven't created a new lookup table since the last Splunk restart...

0 Karma
Reply

jambajuice
Communicator
‎02-06-2011 05:19 AM

The lookup table is in the same app that I'm running the search from.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...