I am running splunk4.2.2 on Linux servers
On My search-heads under /app/splunk/etc/system/local
props.conf entries
[syslog_vrsn]
TZ = US/Eastern
REPORT-rsysog = rsyslog_extractions
lookup_deparment = IpLookup log_ip OUTPUT dept_name
transforms.conf entries
[rsyslog_extractions]
REGEX = (\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(\S+)\s+(.*)
FORMAT = log_date::"$1" time::"$2" log_ip::"$3" log_host::"$4" facility::"$5" seveority::"$6" Message::"$12"
WRITE_META = false
Under /app/splunk/etc/system/lookups
IpLookup.csv entries
10.174.27.246,nw_grp_SUCCESS
10.174.159.249,SUCCESS_PENDING
I am still getting The lookup table 'IpLookup' does not exist. It is referenced by configuration 'syslog_vrsn' and Its pointing to Indexers ..I even pushed the same config to Indexers But splunk still says "IpLookup" missining I even copied Iplookup.csv to Iplookup to see If the error clears but No luck ..Any help or any one have this issue ?
I have already checked those and they show properly
What are the "sharing permissions" on the objects ?
Can you post an example of the search you are using ?
If you log into Splunk Web and browse to :
Manager » Lookups » Lookup table files
Manager » Lookups » Lookup definitions
Do you see the lookup definition and lookup file objects and are the sharing permissions set appropriately ?
Thanks for the reply Damien , I tried the file name explicitly but still complains abt "The lookup table 'IpLookup' does not exist. It is referenced by configuration 'syslog_vrsn' "
Try this (note, I corrected your "deparment" spelling)
props.conf
LOOKUP-department = IpLookup log_ip OUTPUT dept_name
transforms.conf
[IpLookup]
filename = Iplookup.csv
max_matches = 1