Splunk Search

Lookup Issues - windows_name_lookup does not exist

joshuar
New Member

Hi,

Some background,

We have Splunk 4.1.4 on Redhat Linux. We also have the PCI Compliance Suite Installed

Everytime I login I get the red error bar complaining about a lookup issue. I did see another similar 'Answer' but it wasn't quite the same issue. I am fairly new to splunk so here is what I have found so far.

From the logs;

ERROR LookupOperator - The lookup table 'windows_name_lookup' does not exist. It is referenced by configuration 'source::(MonitorWare|Snare|WinEventLog)...'.

The word windows_name_lookup is found in these files;

[root@splunk opt]# grep -R windows_name_lookup *|more
splunk/etc/apps/SKB-windows/default/transforms.conf:[windows_name_lookup]
splunk/etc/apps/SKB-windows/default/transforms.conf:[windows_name_lookup2]
splunk/etc/apps/SKB-windows/default/props.conf:LOOKUP-name_for_windows = windows_name_lookup signature_id OUTPUT name
splunk/etc/apps/SKB-windows/default/props.conf:LOOKUP-name_for_windows2 = windows_name_lookup2 signature_id,Sub_Status OUTPUTNEW name
splunk/etc/apps/SKB-windows/local/transforms.conf:[windows_name_lookup]
splunk/etc/apps/SKB-windows/local/transforms.conf:[windows_name_lookup2]

I can see the lookup table is referenced with the following;

[windows_name_lookup]
filename=windows_names.csv

[windows_name_lookup2]
filename=windows_names_substatus.csv

Those files do exist on my system;

[root@splunk opt]# find . -name 'windows_names.csv'
./splunk/etc/apps/SKB-windows/lookups/windows_names.csv
[root@splunk opt]# find . -name 'windows_names_substatus.csv'
./splunk/etc/apps/SKB-windows/lookups/windows_names_substatus.csv

Any help would be appreciated..

Josh

Tags (1)
0 Karma

gkanapathy
Splunk Employee
Splunk Employee

You probably need to make sure the lookup (or all lookups) are exported from the SKB-windows app to global. This is a bug in the app that it isn't. You can do this either in the Manager GUI, or you can add to SKB-windows/metadata/local.meta this:

[lookups]
export = system

joshuar
New Member

I tried this with no luck. The GUI also shows the loonkup as "Sharing - Global"

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...