Lookup Table Problem

sjlin · ‎06-25-2013

Hi, I have a problem when using lookup function in Splunk.

I am using a lookup table in C:\Program Files\Splunk\etc\users\admin\MyApp\lookups\lookuptable.csv and Lookup table name is "lookuptable"
But if I want to add or change some data into lookuptable.csv

when I search "| inputlookup lookuptable", I get the following error

File 'C:\Program Files\Splunk\etc\users\admin\MyApp\lookups\lookuptable.csv' could not be opened for reading.

I am wondering if anyone can help. Thanks a lot.

PS, Can anyone tell me when I import lookuptable.csv into Splunk, why C:\Program Files\Splunk\etc\users\admin\MyApp\lookups\lookuptable.csv have a blank row between every original row?

sjlin · ‎06-25-2013

To linu1988:
Yes, but after I delete the lookup in Manager/lookup table, I add the lookup table again, and then the lookup file is inside the folder: \etc\users\admin\MyApp\lookups

Sorry, How can I know if splunk has read access to the lookup table?

lguinn2 · ‎06-25-2013

The docs say "The CSV files used as lookups must be created with UNIX-style line endings." This may also be your problem; there are utilities which can correct line-ending problems. You might find the dos2unix utility helpful.

lguinn2 · ‎06-25-2013

@linu1988 It looks like this lookup table is private, based on the file location.

linu1988 · ‎06-25-2013

It means the file name is wrong in the transforms.conf or the file is locked by some other process or splunk doesn't have read access to the location. try these options should resolve the issue.

And i thought the lookup files should be inside the \etc\apps\app_name\lookups folder, Isn't it?

Lookup Table Problem

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM