Splunk Search

'outputlookup' command: Could not write to file

Lowell
Super Champion

I'm trying to use outputlookup to generate a lookup table based on search results and I'm running into the following error:

Error in 'outputlookup' command: Could not write to file 'metrics_daily_sourcetype.csv'.

I've tried both both a simple csv file, an absolute path, as well as a named lookup (stanza name in transforms.conf).

Then I looked in the search.log for search job and found the following error messages:

06-30-2010 17:24:09.122 ERROR SearchResults - Unable to write to file '/opt/splunk/etc/apps/SplunkAdmin/lookups/metrics_daily_sourcetype.csv'.  Retried 5 times, period=500 ms. error='Invalid cross-device link'
06-30-2010 17:24:09.122 ERROR outputcsv - Error in 'outputlookup' command: Could not write to file 'metrics_daily_sourcetype.csv'.

My $SPLUNK_HOME and $SPLUNK_HOME/var/run are on a different file system. And I'm wondering if that has anything to do with the issue. (I ran into an issue with this before with summary indexing. The stash file was written to a temp file under $SPLUNK_HOME/var/run and the process assumed it could do a "rename" (which is atomic) rather than doing a move which is needed when you have multiple partitions. So I'm wondering if something similar is going on here.)

Any ideas?

I'm running Splunk 4.1.3 on Ubuntu Linux 8.04 (32 bit)


Workaround:

I'm temporarily working around this issue by using outputcsv and then manually coping my file from $SPLUNK_HOME/var/run/splunk/table.csv to $SPLUNK_HOME/etc/apps/SplunkAdmin/lookups/. But this is rather tedious.

0 Karma
1 Solution

ftk
Motivator

This seems to be related to SPL-31130 -- output file located on a different file system.

View solution in original post

bharrell
Path Finder

Ran into this error today. In my case, I had the CSV file open in Excel - causing a write lock.

0 Karma

ftk
Motivator

This seems to be related to SPL-31130 -- output file located on a different file system.

View solution in original post

Rob
Splunk Employee
Splunk Employee

This issue should be fixed with Splunk version 4.1.4+

0 Karma

jpass
Contributor

were you able to fix the issue? If so, how did you do it?

0 Karma

Lowell
Super Champion

Thanks. I've emailed support asking to be included on this issue.

0 Karma

ftk
Motivator

ACtually found the defect in an email it's SPL-31130

0 Karma

ftk
Motivator

There is a open defect ticket on this -- not sure what the ticket number is but as I was troubleshooting a similar issue people in IRC noted that this is an open issue.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!