All Apps and Add-ons

After a clean install of the Palo Alto Networks App for Splunk, why am I getting the same lookup errors others experienced from upgrading?

dacasey
Explorer

I decided to install the latest Palo Alto Networks App for Splunk, but wanted to ensure no residual problems as others have had in the community, so I deleted all PA related apps/add-ons, TA's, and the index. Clean sweep. I combed through both the Search Head and Indexer and nothing remained from PA. I restarted both systems before proceeding.

I then installed the latest PA app on the SH and IDX. Edited the inputs.conf to adjust the port per the Getting Started guide. Modified the input port to UDP 5514. I proceeded to create the index followed by a full restart of both the SH and IDX.

Tested the basic indexing using index=pan_logs. Data is flowing, HOWEVER... I get all those lookup errors others have experienced as a result of upgrading from an older version:

Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'pan:config' and lookup table 'pan_vendor_info_lookup'.

Since I did a complete, full wipe, restart on both SH and IDX, a fresh reinstall of the app, configured per the Getting Started guide, I am confused as to why it is not working and those errors still exist. It's a very small lab environment. Nothing weird. Just basic Windows TA's, etc. Yes, I checked perms and nothing was out of place.

I have a PA-200 if it matters... The syslog settings have been configured on the device per the 'configure-syslog-monitoring' guide.

What say the community? I am completely stumped!

0 Karma

panguy
Contributor

In 5.0 we moved the lookup tables from the app to the add on. So you will need to confirm you have the add on installed and just delete the lookup tables from the app.

0 Karma

jwelch_splunk
Splunk Employee
Splunk Employee

I just downloaded both the App and the TA, The Full app is missing a lookups directory so this:

LOOKUP-vendor_info_for_pan_config = pan_vendor_info_lookup

in the default props.conf would not work. Which is why you are getting an error, there is no lookup file provided by the app.

The Instructions say that you are required to install the TA, it claims it does this automatically, but if you are running Clustering or another type of config you may need to install it manually.

In the TA, it does have the lookup in default/props as well and also has the lookups directory with the right csv.

My vote would be to ensure the TA is installed and to comment out the LOOKUP in the default props.conf of the app itself.

This would allow the lookup to work from the TA and eliminate the error.

Can someone verify if this works for them?

0 Karma

panguy
Contributor

This error usually comes from missing TA can you confirm you have the TA installed? If not please install it. There are some instances where the TA does not get installed automatically.

0 Karma

saurabh_tek
Communicator

Hi @panguy / @jamesbrock, i am facing the similar issue as well.

The error is coming on all my custom dashboard searches - "Error could not find all the specified look up fields in the lookup table for conf fs_notification and lookup table endpoint_change_status_lookup"

this is the splunk certified version of palo alto app (5.2.0) which i have installed and all lookups are on the addon and nothing on app. there is no lookup namedendpoint change status as well.

I dont know how to remove, if you know please help me get rid of this. management asking me why my custom searches are showing ! sign(which is coming from palo alto app).

0 Karma

saurabh_tek
Communicator

dear @ppablo_splunk could you help on this.

0 Karma

jamesbrock
Path Finder

I have this exact problem. After trying to go thru the upgrade I removed everything and started over. Still get the errors. Stumped as well !!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...