I am new to splunk and had been seeing the following error messages for the Linux dhcpd app. The look files exists on the SH server. So I opened the local\transforms.conf file. Every thing looked good. So I added space on both side of the operator where filename was defined and restarted splunk. Is this the right way of doing?
09-03-2013 11:54:03.654 -0400 ERROR LookupOperator - The lookup table 'dhcpd_cef-lookup' does not exist. It is referenced by configuration 'dhcpd'.
09-03-2013 11:54:03.654 -0400 ERROR LookupOperator - The lookup table 'dhcpd_mac-vendorname' does not exist. It is referenced by configuration 'dhcpd'.
09-03-2013 11:54:03.687 -0400 ERROR LookupOperator - The lookup table 'dhcpd_cef-lookup' does not exist. It is referenced by configuration 'syslog'.
09-03-2013 11:54:03.688 -0400 ERROR LookupOperator - The lookup table 'dhcpd_mac-vendorname' does not exist. It is referenced by configuration 'syslog'.
Splunk version 5.0.3
For me adding space in the fieldname kv in the local/transforms.conf file
[dhcpd_mac-hostname]
filename = dhcpd_mac-hostname.csv
[dhcpd_mac-vendorname]
filename = dhcpd_mac-vendorname.csv
[dhcpd_cef-lookup]
filename = dhcpd_cef-lookup.csv