Splunk Search

Lookups aren't available until Splunk is restarted

jambajuice
Communicator

I've built an app that uses over twenty lookup tables. I deleted them all and have been trying to test and document the process of building all of the tables. After building the first lookup table, I've tried running other saved searches that use that table for a lookup. The search always says that the lookup table is not available.

I see the lookup table in the appname/lookups folder and it contains the right data. If I restart Splunk, the search completes as expected.

Is there any way to make Splunk see a new lookup table without restarting?

Thx.

Craig

Tags (1)

Ron_Naken
Splunk Employee
Splunk Employee

It sounds as if your lookup is being loaded fine without restarting, since you're receiving the error message. I would bet that this issue is one of context, where you're attempting to use the lookup from an app (i.e. Search app) other than the one where it's defined (i.e. MyCustomLookupApp). You need to set permissions to use the lookup outside the context of the app in which it is defined.

It's easiest to understand where the permissions need to be set by walking through a UI-configured lookup. You can build your lookups through the UI in Manager-->Lookups. There is a tutorial here: http://www.splunk.com/base/Documentation/4.1.6/User/Fieldlookupstutorial

Using this method to configure a lookup will alleviate any doubt that you need to restart and help to identify each place where permissions need to be set. (i.e. Table File, Definitions, Automatic Lookup).

HTH
ron

Lowell
Super Champion

Ron, I agree that getting the permissions all setup properly can be an issue, and it's often difficult to find which piece is missing. But I too have seen some situation where it appears that the only "solution" to getting a lookup working properly, is to restart splunkd like jambajuice is asking about. There does seems to be something glitchy about this, but I haven't taken the time to track it down precisely.

0 Karma

Ron_Naken
Splunk Employee
Splunk Employee

I tried this in the lab and noticed that when I add props/transforms to do the lookup, I don't get a UI entry for Definitions, but I get one for Lookup and File -- I receive the same error. Adding the Definition in the UI fixed the issue, but it didn't make any change to props or tranforms.

0 Karma

jambajuice
Communicator

The permissions on the lookup tables currently show all apps, though I haven't created a new lookup table since the last Splunk restart...

0 Karma

jambajuice
Communicator

The lookup table is in the same app that I'm running the search from.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...