Re: Splunk Indexer giving lookup missing error

sscandoit · ‎08-31-2011

Hi All,

I have the following setup in my environment:
1) light forwarder installed on the machine where logs are generated
2) forwarder machine
3) Indexer which can perform search
4) Search head

I have created a view on search head and have saved the regular expressions in props.conf and transforms.conf files on this search head. I am also using a lookup in my view which is stored in $SPLUNK_HOME/etc/system/local/lookups.

When open the view, it displays the data correctly. However it shows message stating lookup file is missing on indexer machine.

I am not able to understand why indexer is also looking for the lookup. Could you please tell me how I can take care of this error? Once again thanks a lot for helping me. This forum has been really helpful to me.

Thanks
Suvelee

melting · ‎09-01-2011

Lookup search cmd will try to run on the indexers. You can force it to run only of the search head with local=true. Take a look at the docs for input search cmd

sscandoit · ‎09-02-2011

Thanks for your reply. I will definitely try that.

Splunk Indexer giving lookup missing error

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you a member of the Splunk Community?

Splunk Indexer giving lookup missing error

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...