I'm trying to use
outputlookup to generate a lookup table based on search results and I'm running into the following error:
Error in 'outputlookup' command: Could not write to file 'metrics_daily_sourcetype.csv'.
I've tried both both a simple csv file, an absolute path, as well as a named lookup (stanza name in
Then I looked in the
search.log for search job and found the following error messages:
06-30-2010 17:24:09.122 ERROR SearchResults - Unable to write to file '/opt/splunk/etc/apps/SplunkAdmin/lookups/metrics_daily_sourcetype.csv'. Retried 5 times, period=500 ms. error='Invalid cross-device link' 06-30-2010 17:24:09.122 ERROR outputcsv - Error in 'outputlookup' command: Could not write to file 'metrics_daily_sourcetype.csv'.
$SPLUNK_HOME/var/run are on a different file system. And I'm wondering if that has anything to do with the issue. (I ran into an issue with this before with summary indexing. The stash file was written to a temp file under
$SPLUNK_HOME/var/run and the process assumed it could do a "rename" (which is atomic) rather than doing a move which is needed when you have multiple partitions. So I'm wondering if something similar is going on here.)
I'm running Splunk 4.1.3 on Ubuntu Linux 8.04 (32 bit)
I'm temporarily working around this issue by using
outputcsv and then manually coping my file from
$SPLUNK_HOME/etc/apps/SplunkAdmin/lookups/. But this is rather tedious.
There is a open defect ticket on this -- not sure what the ticket number is but as I was troubleshooting a similar issue people in IRC noted that this is an open issue.