I have a csv file uploaded in the location /opt/splunk/etc/apps/search/lookups/. My transforms file is in /opt/splunk/etc/apps/search/local with configuration as
I am trying to run a search query using this lookup command to map the error code from the event to the error codes in the csv file. But Splunk keeps saying "Error in 'lookup' command: Could not construct lookup ".
Check the permissions of the CSV file - error_codes.csv and lookup definition - error_codes. Are they shared with the search app? To check/change permissions for CSV file got to Settings >> Lookup >> Lookup table files.
To check/change permissions for the lookup definitions permissions got to Settings >> Lookup>> Lookup definitions.
If this reply helps you, a like would be appreciated.