Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Lookup table is invalid
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am running Splunk for OSSEC, v4. OSSEC 2.5.1 is installed and running on the same server as Splunk. I originally started Splunk as root with
/opt/splunk/bin/splunk start
but then decided I wanted to run it as a non-root user (splunk user). I chown'ed the entire /opt/splunk directory as the splunk user and then restarted Splunk. When I go to Searches & Reports > Utilities > Initialize OSSEC Server Lookup Table, and/or Rebuild Table, I get these errors:
The lookup table 'lookup_ossec_servers' is invalid.
Found no results to write to file 'lookup_ossec_servers'.
Whats the best way to "clear" everything out and start fresh? Seems like I need to delete this lookup table and start over. Any help is appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The initialize option currently still requires that the table is valid (this is a known issue, planned to be updated in a later release). Right now, it just clears out anything other than the default "All OSSEC Servers" entry.
The simplest thing would be to open the file in a text editor and replace its contents with:
"ossec_server",description,managed
"*","All OSSEC Servers",0
Then, run the Rebuild OSSEC Server Lookup Table search again. Alternately, you can manually add a line for your server while you're editing the file, e.g.:
myserver,"This is my managed OSSEC server",1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The initialize option currently still requires that the table is valid (this is a known issue, planned to be updated in a later release). Right now, it just clears out anything other than the default "All OSSEC Servers" entry.
The simplest thing would be to open the file in a text editor and replace its contents with:
"ossec_server",description,managed
"*","All OSSEC Servers",0
Then, run the Rebuild OSSEC Server Lookup Table search again. Alternately, you can manually add a line for your server while you're editing the file, e.g.:
myserver,"This is my managed OSSEC server",1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried your two suggestions and edited /opt/splunk/etc/apps/ossec/lookups/lookup_ossec_servers.csv, but I still got the same "table is invalid" error. I reinstalled the app and that worked for me. Thanks for the reply...looking forward to using the app!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
