OK, so I've spent a good bit of time trying to implement lookup tables according to the docs, and I'm getting no luck at all. When I try to use the GUI to add a lookup table file, I get the following error:
Encountered the following error while trying to save: In handler 'lookup-table-files': Error performing action=create on object id=ol1.csv in config=lookups.
In the splunkd log, I see:
02-28-2011 11:50:06.127 WARN LookupTableConfPathMapper - Refuse to copy file from unsafe location: /splunk/var/run/splunk/lookup_tmp/ol1.csv.0132362786125 02-28-2011 11:50:06.127 ERROR PropertiesMapConfig - Failed to save settings: /admin/search/lookups/ol1.csv (user: admin, app: search, root: /opt/splunk/etc): Data could not be written: /admin/search/lookups/ol1.csv: /opt/splunk/var/run/splunk/lookup_tmp/ol1.csv.0132362786125
Putting in modified props.conf and transforms.conf in apps/search/local and putting the file in apps/search/lookups has no effect... no error messages on restart saying they were read and were improper, no visible change to log messages to suggest it worked. btool says the properties were loaded.
props.conf:
[syslog]
pulldown_type = true
maxDist = 3
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 32
TRANSFORMS = syslog-host
REPORT-syslog = syslog-extractions
SHOULD_LINEMERGE = False
lookup_orblookup = orblookup Hostname OUTPUTNEW OrganizationCode
transforms.conf:
[orblookup]
filename = ol1.csv
head ol1.csv
Hostname,OrganizationCode
hostname1.example.com,Data Warehouse
hostname2.example.com,Data Warehouse
hostname3.example.com,Data Warehouse
hostname4.example.com,Data Warehouse
hostname5.example.com,Infrastructure Operations
... View more