All Apps and Add-ons

Lookup table is invalid

ashbyj
Engager

I am running Splunk for OSSEC, v4. OSSEC 2.5.1 is installed and running on the same server as Splunk. I originally started Splunk as root with

/opt/splunk/bin/splunk start

but then decided I wanted to run it as a non-root user (splunk user). I chown'ed the entire /opt/splunk directory as the splunk user and then restarted Splunk. When I go to Searches & Reports > Utilities > Initialize OSSEC Server Lookup Table, and/or Rebuild Table, I get these errors:

The lookup table 'lookup_ossec_servers' is invalid.
Found no results to write to file 'lookup_ossec_servers'.

Whats the best way to "clear" everything out and start fresh? Seems like I need to delete this lookup table and start over. Any help is appreciated.

0 Karma
1 Solution

southeringtonp
Motivator

The initialize option currently still requires that the table is valid (this is a known issue, planned to be updated in a later release). Right now, it just clears out anything other than the default "All OSSEC Servers" entry.

The simplest thing would be to open the file in a text editor and replace its contents with:

"ossec_server",description,managed
"*","All OSSEC Servers",0

Then, run the Rebuild OSSEC Server Lookup Table search again. Alternately, you can manually add a line for your server while you're editing the file, e.g.:

myserver,"This is my managed OSSEC server",1

View solution in original post

southeringtonp
Motivator

The initialize option currently still requires that the table is valid (this is a known issue, planned to be updated in a later release). Right now, it just clears out anything other than the default "All OSSEC Servers" entry.

The simplest thing would be to open the file in a text editor and replace its contents with:

"ossec_server",description,managed
"*","All OSSEC Servers",0

Then, run the Rebuild OSSEC Server Lookup Table search again. Alternately, you can manually add a line for your server while you're editing the file, e.g.:

myserver,"This is my managed OSSEC server",1

ashbyj
Engager

I tried your two suggestions and edited /opt/splunk/etc/apps/ossec/lookups/lookup_ossec_servers.csv, but I still got the same "table is invalid" error. I reinstalled the app and that worked for me. Thanks for the reply...looking forward to using the app!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...