All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I encountering Issues with Palo Alto lookups and permissions with a deployment?

mbelarde_splunk
Splunk Employee
Splunk Employee
‎03-13-2018 09:51 AM

Hello there,

I am having issues with an deployment in which when using a non-admin role for a user, when I search using, let's say the Search app, I have the following output:

• The limit has been reached for log messages in info.csv. 69 messages have not been written to info.csv. Please refer to search.log for these messages or limits.conf to configure this limit.
• [idx-i-1] The lookup table 'app_lookup' does not exist. It is referenced by configuration 'pan:threat'.
• [idx-i-1] The lookup table 'app_lookup' does not exist. It is referenced by configuration 'pan:traffic'.
• [idx-i-1] The lookup table 'classification_lookup' does not exist. It is referenced by configuration 'pan:hipmatch'.
• [idx-i-1] The lookup table 'classification_lookup' does not exist. It is referenced by configuration 'pan:threat'.
• [idx-i-1] The lookup table 'classification_lookup' does not exist. It is referenced by configuration 'pan:traffic'.
• [idx-i-1] The lookup table 'classification_lookup' does not exist. It is referenced by configuration 'pan:traffic'.
• [idx-i-1] The lookup table 'endpoint_actions_lookup' does not exist. It is referenced by configuration 'pan:endpoint'.
• [idx-i-1] The lookup table 'endpoint_severity_lookup' does not exist. It is referenced by configuration 'pan:endpoint'.
• [idx-i-1] The lookup table 'pan_vendor_action_lookup' does not exist. It is referenced by configuration 'pan:threat'.
• [idx-i-1] The lookup table 'pan_vendor_action_lookup' does not exist. It is referenced by configuration 'pan:traffic'.
• [idx-i-1] The lookup table 'pan_vendor_info_lookup' does not exist. It is referenced by configuration 'pan:aperture'.
• [idx-i-1] The lookup table 'pan_vendor_info_lookup' does not exist. It is referenced by configuration 'pan:config'.
• [idx-i-1] The lookup table 'pan_vendor_info_lookup' does not exist. It is referenced by configuration 'pan:hipmatch'.
• [idx-i-1] The lookup table 'pan_vendor_info_lookup' does not exist. It is referenced by configuration 'pan:system'.
• [idx-i-1] The lookup table 'pan_vendor_info_lookup' does not exist. It is referenced by configuration 'pan:threat'.
• [idx-i-1] The lookup table 'pan_vendor_info_lookup' does not exist. It is referenced by configuration 'pan:traffic'.
• [idx-i-1] The lookup table 'sanctioned_saas_lookup' does not exist. It is referenced by configuration 'pan:threat'.
• [idx-i-1] The lookup table 'sanctioned_saas_lookup' does not exist. It is referenced by configuration 'pan:traffic'.

Does anyone know what this is related to?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

qi3ber
Explorer
‎03-13-2018 12:27 PM

Assuming you're using the same search head for both the admin and non-admin searches. I would recommend checking the permissions on the lookup tables referenced in the above errors. My guess is that the read permissions on those lookup tables are restricted to admin only, which makes the non-admin user run into errors. It's also worth checking the permissions on the underlying lookup files those tables are using as well, but I believe that those errors are related to the tables themselves.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

qi3ber
Explorer
‎03-13-2018 12:27 PM

Assuming you're using the same search head for both the admin and non-admin searches. I would recommend checking the permissions on the lookup tables referenced in the above errors. My guess is that the read permissions on those lookup tables are restricted to admin only, which makes the non-admin user run into errors. It's also worth checking the permissions on the underlying lookup files those tables are using as well, but I believe that those errors are related to the tables themselves.

0 Karma
Reply
Solved! Jump to solution

mbelarde_splunk
Splunk Employee
Splunk Employee
‎03-13-2018 01:34 PM

Hey qi3ber,

I just checked adjusted the "Lookup table files" and "Lookup definitions" and they had permissions assigned to only the app, not everyone as required.

That did the job although it seems that the permissions were not cascade down to the objects when assigned the read permission to the app itself (this is the Splunk_TA_paloalto throught "Manage Apps"). Is this the normal behaviour?

Thanks!

M.

0 Karma
Reply
Solved! Jump to solution

mbelarde_splunk
Splunk Employee
Splunk Employee
‎03-13-2018 09:53 AM

Palo Alto App version: 6.0.1 / Splunk_TA_paloalto: 6.0.2

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...