Splunk is not able to idetnify transforms.conf loo...

surejsajeev · ‎04-18-2021

Hi,

I have a csv file uploaded in the location /opt/splunk/etc/apps/search/lookups/. My transforms file is in /opt/splunk/etc/apps/search/local with configuration as

[error_codes]

filename=error_codes.csv

I am trying to run a search query using this lookup command to map the error code from the event to the error codes in the csv file. But Splunk keeps saying "Error in 'lookup' command: Could not construct lookup ".

This is my search query

base_search | lookup error_codes error_code_spl OUTPUT error_code_desc, error_code_sol

I even tried to make the lookup file and transforms global by moving it to /opt/splunk/etc/system/lookups and /opt/splunk/etc/system/local/transforms.conf, but nothing works.

Am I missing something here?. Please help.

manjunathmeti · ‎04-18-2021

hi @surejsajeev,

Check the permissions of the CSV file - error_codes.csv and lookup definition - error_codes. Are they shared with the search app?
To check/change permissions for CSV file got to Settings >> Lookup >> Lookup table files.

To check/change permissions for the lookup definitions permissions got to Settings >> Lookup>> Lookup definitions.

If this reply helps you, a like would be appreciated.

Splunk is not able to idetnify transforms.conf lookup configuration

lookup

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation