I've configured a CSV lookup and an automatic lookup on Splunk 5.0.4 that work on one of my search heads (let's call it host01). When I push the app to the indexer search peer (host02) that holds the data, host01 starts showing errors about the lookup not existing:
[host02] The lookup table 'internal_domains' does not exist. It is referenced by configuration 'source::maillog|host::mailhost|sendmail_syslog'.
All of my searching has led me to believe this kind of thing is normally a permission issue on any of the pieces involved (lookup table file, lookup defintion, or automatic lookup) but the ONLY "*.meta" files I can find that contain any information about this lookup on my indexer are in my app, and it has this:
[props]
export = system
[lookups/internal_domains.csv]
export = system
version = 5.0.2
modtime = 1367367795.814840000
access = read : [ * ], write : [ admin, power ]
owner = nobody
[transforms/internal_domains]
export = system
version = 5.0.3
access = read : [ * ], write : [ admin, power ]
modtime = 1371773947.230195000
owner = nobody
[props/sendmail_syslog/LOOKUP-direction]
access = read : [ * ], write : [ admin, power ]
owner = nobody
version = 5.0.4
modtime = 1378938232.175058000
The most confusing part is that if I log in to host02 and do the exact same search, I don't get any errors and the automatic lookup happens, regardless of what app I do it from. Meanwhile, the errors didn't start showing up on host01 until I'd pushed the definitions to host02. I'm sure I must be missing something obvious.
... View more