I created a lookup and it was created under a specific app and I pointed it to a particular sourcetype.
When setting the permissions to allow all apps to access the lookup, why then can the other apps not see this lookup (other apps are using the same sourcetype).
I had to recreate each of my lookups 3 times in order to not get the error that the lookup could not be found.
Are permissions broken for lookups?
Did you set the permissions to global for all three components of the lookup?
If any one of these is not global, then the lookup will not work globally.
Would the fact that the data it is tied to(index) is on a master instance have any affect?
All set to App .. more specifically: This app only (system)
No, the lookup file can be in the app directory. The metadata is set to export the file globally.
Next question - what are the permissions on the app itself?
The lookup file remained in the specific app lookup folder even after changing it to global. Could this be the issue?
Where was the lookup file present? In global location i.e. system\lookup or the specific app lookup folder?
They were all set global, I have tried this on multiple splunk instances.