I'm trying to use outputlookup to generate a lookup table based on search results and I'm running into the following error:

Error in 'outputlookup' command: Could not write to file 'metrics_daily_sourcetype.csv'.

I've tried both both a simple csv file, an absolute path, as well as a named lookup (stanza name in transforms.conf).

Then I looked in the search.log for search job and found the following error messages:

06-30-2010 17:24:09.122 ERROR SearchResults - Unable to write to file '/opt/splunk/etc/apps/SplunkAdmin/lookups/metrics_daily_sourcetype.csv'.  Retried 5 times, period=500 ms. error='Invalid cross-device link'
06-30-2010 17:24:09.122 ERROR outputcsv - Error in 'outputlookup' command: Could not write to file 'metrics_daily_sourcetype.csv'.

My $SPLUNK_HOME and $SPLUNK_HOME/var/run are on a different file system. And I'm wondering if that has anything to do with the issue. (I ran into an issue with this before with summary indexing. The stash file was written to a temp file under $SPLUNK_HOME/var/run and the process assumed it could do a "rename" (which is atomic) rather than doing a move which is needed when you have multiple partitions. So I'm wondering if something similar is going on here.)

Any ideas?

I'm running Splunk 4.1.3 on Ubuntu Linux 8.04 (32 bit)

Workaround:

I'm temporarily working around this issue by using outputcsv and then manually coping my file from $SPLUNK_HOME/var/run/splunk/table.csv to $SPLUNK_HOME/etc/apps/SplunkAdmin/lookups/. But this is rather tedious.