Receiving error ⚠ The lookup table 'windows_event_...

himapate · ‎01-28-2016

Receiving multiple pop-ups when trying to run a search:

The lookup table 'windows_event_descriptions' does not exist. It is referenced by configuration 'source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...'.

Added the below stanza in metadata/local.meta also metadata/default.meta

[lookups]
export = system

Also, found that the csv "windows_event_descriptions" is not present in the lookups folder of the application.
Do I need to generate a csv? If yes, what fields would the present in the csv?
This is an automatic lookup, so how would Splunk create a automatic lookup?

muebel · ‎03-02-2016

Hi himapate, I believe the issue is that you need to make the lookup in question available. This seems similar to a previous question : https://answers.splunk.com/answers/298992/how-do-you-resolve-the-error-the-lookup-table-wind.html

The splunk app for windows infrastructure can be found here : https://splunkbase.splunk.com/app/1680/

Installing the app or otherwise extracting the windows_event_descriptions.csv should resolve the issue.

Please let me know if this answers you question! 😄

SGun · ‎03-02-2016

The lookup table 'windows_event_descriptions' does not exist. It is referenced by configuration 'source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...

Have the same issue.

Receiving error ⚠ The lookup table 'windows_event_descriptions' does not exist. It is referenced by configuration 'source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...'. ?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life