I have the following setup in my environment:
1) light forwarder installed on the machine where logs are generated
2) forwarder machine
3) Indexer which can perform search
4) Search head
I have created a view on search head and have saved the regular expressions in props.conf and transforms.conf files on this search head. I am also using a lookup in my view which is stored in $SPLUNK_HOME/etc/system/local/lookups.
When open the view, it displays the data correctly. However it shows message stating lookup file is missing on indexer machine.
I am not able to understand why indexer is also looking for the lookup. Could you please tell me how I can take care of this error? Once again thanks a lot for helping me. This forum has been really helpful to me.