Splunk Search

lookup table not visible when creating "New Automatic Lookup" until after server restart

Contributor

I can upload a lookup table .csv fine, "| lookupinput <name.csv>" also works fine.
When I create an autolookup, the lookup table isn't visible in the "select LookupTable to use" until after I restart the server.

Q: Is there a update/refresh settings I need to set to have these settings populate faster or without a restart?

I have 1 search head, index_cluster and a master_node
Documentation states I shouldn't need to restart but after all my testing, this seems to be the case for my situation.

Some additional issues:
1) After I delete the lookup table it is still populating the New Autolookup Create section but is fixed after a server restart.
2) I have to manually add the below entry into my transforms.conf for the lookup table to be visible within the New AutoLookup Creation section.

[LookupTableName]
filename = name.csv

Thank You,
Sean

0 Karma
1 Solution

Contributor

The problem is resolved. It was a simple misunderstanding on my part on not doing the creation correctly. Its pretty funny how much research I did on this subject to find that I never found a simple post about 1) upload the lookup table. 2) create a set of definitions 3) create an autolookup.

The problem was I wasn't doing the 2nd step of creating the definitions. Once I created the definitions everything is working.

Now my IP -> CIDR lookups are working as expected. Although it took awhile to figure out about the match_type parameter within the lookup stanza in the transforms.conf

View solution in original post

0 Karma

Contributor

The problem is resolved. It was a simple misunderstanding on my part on not doing the creation correctly. Its pretty funny how much research I did on this subject to find that I never found a simple post about 1) upload the lookup table. 2) create a set of definitions 3) create an autolookup.

The problem was I wasn't doing the 2nd step of creating the definitions. Once I created the definitions everything is working.

Now my IP -> CIDR lookups are working as expected. Although it took awhile to figure out about the match_type parameter within the lookup stanza in the transforms.conf

View solution in original post

0 Karma

Esteemed Legend
0 Karma

Splunk Employee
Splunk Employee

Check the permissions on the file and the lookup. They may be restricted to app only, which is why its not visible.

0 Karma

Contributor

The table is visible in both the APP view and GLOBAL view but only after I manually add the 'filename=' entry into the transforms.conf and do a ..http://<splunk_url>:8000/debug/refresh.
Is this a bug or do I need to change a setting in another .conf to enable or make active?

0 Karma

Contributor

Hi,

To refresh some elements of the configuration, you can use the 'debug/refresh' link.

I.e. On your server go to: http://[splunk server hostname]:8000/debug/refresh

This should give you a little 'refresh' button.

Give this a go and see if it help.

Contributor

Thank you for the suggestion. This is works and I don't need a restart but I am still having the other issues to troubleshoot... Almost there! 🙂

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!