Dear Splunk Dev team,  One more simple typo issue:  Splunk fresh install 9.4.0 (last week's version 9.3.2 also had this issue, but i thought to wait to post this till next version) showing the warning msg - "Error in 'lookup' command: Could not construct lookup 'test_lenlookup, data'. See search.log for more details." (on older splunk versions i remember this search.log, but nowadays both search.log and searches.log are not available)   https://docs.splunk.com/Documentation/Splunk/latest/Troubleshooting/WhatSplunklogsaboutitself as per what Splunk logs about itself, it should be "See searches.log for more details." one more bigger issue -both search.log or searches.log are not available. All these searches are not returning anything (the doc says that - The Splunk search logs are located in sub-folders under $SPLUNK_HOME/var/run/splunk/dispatch/. )       index=_* source="*search.log" OR index=_* source="*searches.log" OR index=_* source="C:\Program Files\Splunk\var\run\splunk\dispatch*"         will post this to Splunk Slack as well, thanks.  If any post helped you in anyway, pls consider adding a karma point, thanks.  ... View more

Hi Dear Splunkers,  I have been working on creating a Custom TA for counting unicode characters for non-eng dataset (long story discussion post in PS), getting these lookup file errors 1)Error in 'lookup' command: Could not construct lookup 'ucd_count_chars_lookup, _raw, output, count'. See search.log for more details. 2)The lookup table 'ucd_count_chars_lookup' does not exist or is not available. The search job has failed due to an error. You may be able view the job in the Job Inspector.   The Custom TA creation steps I followed: (on my personal laptop, installed bare-min fresh 9.3.2 enterprise trial version) 1) Created the custom TA named "TA-ucd" on app creation page (given read for all, execute for owner, shared with all apps) 2) created the ucd_category_lookup.py (made sure of the permissions) $SPLUNK_HOME/etc/apps/TA-ucd/bin/ucd_category_lookup.py (this file should be readable and executable by the Splunk user, i.e. have at least mode 0500) #!/usr/bin/env python import csv import unicodedata import sys def main(): if len(sys.argv) != 3: print("Usage: python category_lookup.py [char] [category]") sys.exit(1) charfield = sys.argv[1] categoryfield = sys.argv[2] infile = sys.stdin outfile = sys.stdout r = csv.DictReader(infile) header = r.fieldnames w = csv.DictWriter(outfile, fieldnames=r.fieldnames) w.writeheader() for result in r: if result[charfield]: result[categoryfield] = unicodedata.category(result[charfield]) w.writerow(result) main()  $SPLUNK_HOME/etc/apps/TA-ucd/default/transforms.conf [ucd_category_lookup] external_cmd = ucd_category_lookup.py char category fields_list = char, category python.version = python3 $SPLUNK_HOME/etc/apps/TA-ucd/metadata/default.meta [] access = read : [ * ], write : [ admin, power ] export = system 3) after creating the 3 files above mentioned, i did restart Splunk service and laptop as well.  4) still the search fails with lookup errors above mentioned.  5) source=*search.log* - does not produce anything (Surprisingly !) Could you pls upvote the idea - https://ideas.splunk.com/ideas/EID-I-2176 PS - long story available here - https://community.splunk.com/t5/Splunk-Search/non-english-words-length-function-not-working-as-expected/m-p/705650   ... View more