Splunk Search

lookup table not visible when creating "New Automatic Lookup" until after server restart

rewritex
Contributor

I can upload a lookup table .csv fine, "| lookupinput <name.csv>" also works fine.
When I create an autolookup, the lookup table isn't visible in the "select LookupTable to use" until after I restart the server.

Q: Is there a update/refresh settings I need to set to have these settings populate faster or without a restart?

I have 1 search head, index_cluster and a master_node
Documentation states I shouldn't need to restart but after all my testing, this seems to be the case for my situation.

Some additional issues:
1) After I delete the lookup table it is still populating the New Autolookup Create section but is fixed after a server restart.
2) I have to manually add the below entry into my transforms.conf for the lookup table to be visible within the New AutoLookup Creation section.

[LookupTableName]
filename = name.csv

Thank You,
Sean

0 Karma
1 Solution

rewritex
Contributor

The problem is resolved. It was a simple misunderstanding on my part on not doing the creation correctly. Its pretty funny how much research I did on this subject to find that I never found a simple post about 1) upload the lookup table. 2) create a set of definitions 3) create an autolookup.

The problem was I wasn't doing the 2nd step of creating the definitions. Once I created the definitions everything is working.

Now my IP -> CIDR lookups are working as expected. Although it took awhile to figure out about the match_type parameter within the lookup stanza in the transforms.conf

View solution in original post

0 Karma

rewritex
Contributor

The problem is resolved. It was a simple misunderstanding on my part on not doing the creation correctly. Its pretty funny how much research I did on this subject to find that I never found a simple post about 1) upload the lookup table. 2) create a set of definitions 3) create an autolookup.

The problem was I wasn't doing the 2nd step of creating the definitions. Once I created the definitions everything is working.

Now my IP -> CIDR lookups are working as expected. Although it took awhile to figure out about the match_type parameter within the lookup stanza in the transforms.conf

0 Karma

woodcock
Esteemed Legend
0 Karma

sduff_splunk
Splunk Employee
Splunk Employee

Check the permissions on the file and the lookup. They may be restricted to app only, which is why its not visible.

rewritex
Contributor

The table is visible in both the APP view and GLOBAL view but only after I manually add the 'filename=' entry into the transforms.conf and do a ..http://<splunk_url>:8000/debug/refresh.
Is this a bug or do I need to change a setting in another .conf to enable or make active?

0 Karma

gvmorley
Contributor

Hi,

To refresh some elements of the configuration, you can use the 'debug/refresh' link.

I.e. On your server go to: http://[splunk server hostname]:8000/debug/refresh

This should give you a little 'refresh' button.

Give this a go and see if it help.

rewritex
Contributor

Thank you for the suggestion. This is works and I don't need a restart but I am still having the other issues to troubleshoot... Almost there! 🙂

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...