These are the errors I am getting:
The lookup table 'endpoint_change_object_category_lookup' does not exist. It is referenced by configuration 'WinRegistry'.
The lookup table 'endpoint_change_object_category_lookup' does not exist. It is referenced by configuration 'fs_notification'.
The lookup table 'endpoint_change_status_lookup' does not exist. It is referenced by configuration 'WinRegistry'.
The lookup table 'endpoint_change_status_lookup' does not exist. It is referenced by configuration 'fs_notification'.
The lookup table 'endpoint_change_user_type_lookup' does not exist. It is referenced by configuration 'WinRegistry'.
The lookup table 'endpoint_change_vendor_action_lookup' does not exist. It is referenced by configuration 'WinRegistry'.
The lookup table 'endpoint_change_vendor_action_lookup' does not exist. It is referenced by configuration 'fs_notification'.
The lookup table 'fs_notification_change_type_lookup' does not exist. It is referenced by configuration 'fs_notification'.
The lookup table 'msdhcp_signature_lookup' does not exist. It is referenced by configuration 'DhcpSrvLog'.
The lookup table 'windows_event_descriptions' does not exist. It is referenced by configuration 'source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...'.
The best way I found is to go to the /etc/apps directory and run:
grep -r "lookup-file-causing-error" *
This will find all instances. You can then disable or uninstall whichever app is associated to confirm the error messages go away. That at least allows you to focus on which lookup is broken.
In my case, it was due to uninstalling the TA_SalesForce, but the Splunk App for Salesforce was still installed.
Hello,
I faced the same issue as well after I upgraded to 6.2.1, and I found the difference between old version and the new one is the reference to csv lookup file in props.conf.
In 6.0.1 props.conf
[sourcetype]
LOOKUP-test_lookup = test_lookup_file field_1 OUTPUT new_field
In 6.2.1 props.conf
[sourcetype]
LOOKUP-test_lookup = test_lookup_file.csv field_1 OUTPUT new_field
The difference is that the extension of lookup file should be added.
Regards
Adding the extension changes the meaning - with .csv, you're referring to a lookup file stored in some /lookups directory; without .csv, you're referring to a lookup definition stored in transforms.conf.
If adding .csv fixes things for you, it really means your lookup definition is broken, not shared correctly, not named properly, etc.
Thanks Martin for the heads up, yes I forgot to define my lookups in the transforms.conf in my new installation.
Check the owner & permissions of the lookups and the user splund process is running as. .../etc/apps/Splunk_TA_nix/lookups
You might want to recursively chown all your splunk directories
chown -Rf splunkUser:splunkGroup ....
My guess is someone ran splunkd as root when upgrading and root took ownership of several files, etc. Or something similar.
Some of those lookups sound as if they come from the Splunk *nix app (https://splunkbase.splunk.com/app/273/), so check in .../etc/apps/Splunk_TA_nix/lookups
that they exist and that your splunk user has correct permissions.
I have the same problem. Search head and index cluster, both have the appropriate bits installed (App, SA, and/or TA - SA and TA from the app/install directory) as specified by the instructions but I get this error from every index cluster member on every search. It seems like I didn't start seeing this error until upgrading from 6.3.0 to 6.3.1 on clustered hosts.
...make sure those lookup configurations are correct and the lookups actually exist?
Thank you for the quick answer....I am new to splunk. What we had worked in 6.0.1 and not 6.2.1. Where would I start looking at?