Splunk is not able to idetnify transforms.conf loo...

surejsajeev · ‎04-18-2021

Hi,

I have a csv file uploaded in the location /opt/splunk/etc/apps/search/lookups/. My transforms file is in /opt/splunk/etc/apps/search/local with configuration as

[error_codes]

filename=error_codes.csv

I am trying to run a search query using this lookup command to map the error code from the event to the error codes in the csv file. But Splunk keeps saying "Error in 'lookup' command: Could not construct lookup ".

This is my search query

base_search | lookup error_codes error_code_spl OUTPUT error_code_desc, error_code_sol

I even tried to make the lookup file and transforms global by moving it to /opt/splunk/etc/system/lookups and /opt/splunk/etc/system/local/transforms.conf, but nothing works.

Am I missing something here?. Please help.

manjunathmeti · ‎04-18-2021

hi @surejsajeev,

Check the permissions of the CSV file - error_codes.csv and lookup definition - error_codes. Are they shared with the search app?
To check/change permissions for CSV file got to Settings >> Lookup >> Lookup table files.

To check/change permissions for the lookup definitions permissions got to Settings >> Lookup>> Lookup definitions.

If this reply helps you, a like would be appreciated.

Splunk is not able to idetnify transforms.conf lookup configuration

lookup

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?