Solved: Why am I getting search error "The lookup table 's...

Makinde · ‎04-11-2016

Hello,

I have a custom written app. Actually it's a legit app which I just added a few lines in the props.conf and inputs.conf files to help obtain some other types of logs and extract useful fields in the log.

So far it appears to be working well, however, I had the following line in the props to help make some comparison to a lookup table;

LOOKUP-signals = signals signal_number as sig

I put the lookup file signals.csv in the lookup folder.

However now I get the following error when I do my searches

[WSECP0005] The lookup table 'signals' does not exist. It is referenced by configuration 'linux:audit'.

Any ideas what could be wrong?

Thanks,
Makinde

martin_mueller · ‎04-11-2016

You probably forgot to create and/or share a lookup definition called signals referencing the signals.csv file.

View solution in original post

martin_mueller · ‎04-11-2016

You probably forgot to create and/or share a lookup definition called signals referencing the signals.csv file.

martin_mueller · ‎04-11-2016

Lookup definitions live in transforms.conf, minimally like this:

[signals]
filename = signals.csv

That should be deployable along with the rest of the app.

Makinde · ‎04-11-2016

Thanks Martin_Mueller.

I realized that after posting the question however this is an App deployed through the deployment manager, how can I create a lookup definition such that it is a part of the App and gets deployed through the deployment manager?

Why am I getting search error "The lookup table 'signals' does not exist" after adding a CSV file in my app's lookup folder?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!