All Apps and Add-ons
Highlighted

Lookup table warning after upgrading to 6.2.1

Explorer

Last week I updated our distributed environment from 6.1 to 6.2.1. 99% of the process was easy and nothing else went wrong except for one thing: every time a search runs (and on every panel in a dashboard) this group of error messages are showing, sometimes multiple times, regardless of the content of the search.

splunk-iv-2 and splunk-iv-3 are both indexers.

[splunk-iv-2] The lookup table 'ciscovendorinfolookup' does not exist. It is referenced by configuration 'cisco:asa'.
[splunk-iv-2] The lookup table 'cisco
vendorinfolookup' does not exist. It is referenced by configuration 'cisco:fwsm'.
[splunk-iv-2] The lookup table 'ciscovendorinfolookup' does not exist. It is referenced by configuration 'cisco:pix'.
[splunk-iv-3] The lookup table 'cisco
vendorinfolookup' does not exist. It is referenced by configuration 'cisco:asa'.
[splunk-iv-3] The lookup table 'ciscovendorinfolookup' does not exist. It is referenced by configuration 'cisco:fwsm'.
[splunk-iv-3] The lookup table 'cisco
vendorinfolookup' does not exist. It is referenced by configuration 'cisco:pix'.

This table shows in the Lookup tables section of Splunk. I can find the actual file and it's populated, it has the exact same permissions as the other lookup tables in the addon directory, but it's NOT open by the operating system unlike the rest of the tables, so it's as if Splunk refuses to open it and then complains that it's not open. I have no idea why this is happening and it does not seem to affect anything, but this is an extremely annoying message and when we start expanding the environment to new users it will probably cause them unnecessary concern.

Has anyone seen this or anything like it? Again the file is there physically, both in the file system and in Splunk. I've even tried deleting and replacing it in Splunk and it still throws this error. The app is up to date according to the addon manager in Splunk.

If you need any more information please feel free to ask!

Highlighted

Re: Lookup table warning after upgrading to 6.2.1

Explorer

Just started getting these errors above the search bar everytime i attempt to do one regardless of what APP dashboard I'm in. It only started after I updated Cisco Security Suite today.

The lookup table 'ciscovendorinfolookup' does not exist. It is referenced by configuration 'cisco:asa'.
The lookup table 'cisco
vendorinfolookup' does not exist. It is referenced by configuration 'cisco:fwsm'.
The lookup table 'ciscovendorinfo_lookup' does not exist. It is referenced by configuration 'cisco:pix'.

You aren't alone in this. Hopefully this topic stays near the top

0 Karma
Highlighted

Re: Lookup table warning after upgrading to 6.2.1

Splunk Employee
Splunk Employee

You probably have automatic lookups setup, and they are global therefore apply from any app.

But the lookups tables may not have the permissions to be visible from other app.
Please go to the cisco apps, look in the lookup tables settings, figure in which app they are and change the permissions for the necessary ones : from app to global ( or system)

see this similar article http://answers.splunk.com/answers/154326/so-many-lookups-so-many-errors-the-lookup-table-xxx-does-no...

0 Karma
Highlighted

Re: Lookup table warning after upgrading to 6.2.1

Explorer

The table is actually set to Global, with read permissions for Everyone. I also have export = system set in the .meta files for the app, both for Global and for the specific lookup table.

0 Karma