All Apps and Add-ons

Splunk Add-on for Cisco ASA: Why am I getting "The lookup table networkservice does not exist" in the alert messages?

rubeniturrieta
Communicator

Hi to everybody,

I have a little problem. I can see in the alert messages, with this text:

1) The lookup table 'networkservice' does not exist. It is referenced by configuration 'cisco:asa'.
2) The lookup table 'networkservice' does not exist. It is referenced by configuration 'cisco:fwsm'.
3) The lookup table 'networkservice' does not exist. It is referenced by configuration 'cisco:pix'.

I have only Cisco ASA Firewall data.

Any help, i'll be very grateful.

Thanks a lot in advance

Rubén

1 Solution

trymo
Engager

If you don't want to remove SA-cisco-asa, you may want to do a modification in 'SA-cisco-asa/default/transforms.conf' ;
1. create directory 'local' under 'SA-cisco-asa'
2. copy 'default/transforms.conf' to 'local/transforms.conf'
3. add following to 'local/transforms.conf';

 [networkservice]
filename = service-names-port-numbers.csv
max_matches = 1
  1. copy file 'Splunk_CiscoSecuritySuite/lookups/service-names-port-numbers.csv' to 'SA-cisco-asa/lookups/service-names-port-numbers.csv'
  2. restart splunk

no errors so far...

View solution in original post

trymo
Engager

If you don't want to remove SA-cisco-asa, you may want to do a modification in 'SA-cisco-asa/default/transforms.conf' ;
1. create directory 'local' under 'SA-cisco-asa'
2. copy 'default/transforms.conf' to 'local/transforms.conf'
3. add following to 'local/transforms.conf';

 [networkservice]
filename = service-names-port-numbers.csv
max_matches = 1
  1. copy file 'Splunk_CiscoSecuritySuite/lookups/service-names-port-numbers.csv' to 'SA-cisco-asa/lookups/service-names-port-numbers.csv'
  2. restart splunk

no errors so far...

molinarf
Communicator

I tried this and it works. The error: 'The lookup table 'networkservice' does not exist.' cleared up. I am wondering why when ever there are upgrades to applications we inevitably have to go through and find out what's missing. Thank you trymo for providing this answer.

lindbergh_calde
Explorer

I tried this workaround as well. It works like a charm.

Thanks trymo for providing this answer.

sjh65
Explorer

I had to disable "SA-cisco-asa (3.0.1)" for these 'networkservice' errors to disappear. Didn't disappear from rerunning a search. But once I ran a new search on a new page after disabling the SA add-on. All is well again.

The only related parts I have are:

  • Splunk Add-on for Cisco ASA Splunk_TA_cisco-asa 3.2.1
  • Cisco ASA / PIX / FWSM Dashboards SA-cisco-asa 3.0.1 Disabled and Soon to Be Removed
  • Cisco ESA Email Security Appliance Dashboards SA-cisco-esa 3.0.3
  • Cisco Security Suite Splunk_CiscoSecuritySuite 3.1.0
  • Splunk Add-on for Cisco ASA Splunk_TA_cisco-asa 3.2.1
  • Splunk Add-on for Cisco ESA Splunk_TA_cisco-esa 1.1.0

The firewall dashboards within the Cisco Security Suite all seem to be in working order still.

jimmy_ford
New Member

I have the same issue. The "networkservice" lookup definition is in the Cisco Security Suite App. You can find it when clicking > Settings > Lookups > Lookup Definitions > pull down "App context" to all apps and do the search on the right hand side for "networkservice"

I also have an issue where if I do a search in the Search and Reporting for anything involving my Cisco syslog and get the following: "The lookup table 'networkservice' does not exist. It is referenced by configuration 'cisco:asa'." so it's not just the Cisco Security Suite app affected.

I disabled all the Splunk Cisco add-ons in the Cisco Security Suite app > Help > Setup > Check boxes for all the dashboards. and the SA-cisco-asa and still get errors on the Suite dashboard.

If I go straight to a search: "eventtype=cisco-security-events" events populate.....

If I do this search: "eventtype=cisco-security-events dest_ip!="255.255.255.255" dest_ip!="0.0.0.0" src_ip="*" " I get nothing... wierd

0 Karma

swasserroth
Path Finder

In our case, the following Cisco-ASA-specific things were installed:
- SA-cisco-asa (3.0.1): this was causing the errors after upgrading the Splunk_CiscoSecuritySuit from 3.0.3 to 3.1.0 and therefore is now disabled
- Splunk_TA_cisco-asa (3.2.1)
- Splunk_CiscoSecuritySuite (3.2.1)

With this configuration we do not get any errors regarding table "networkservice", because this table is defined inside the app Splunk_CiscoSecuritySuite (look at default/transforms.conf) and requires service-names-port-numbers.csv, which is located in the app-subdirectory lookups.

IF you have installed SA-cisco-asa (3.0.1), you will find there in the props.conf more references to "networkservice", but the SA-cisco-asa does not define any transforms and does not contain the .csv-file needed -- thus the error.

So far our analysis -- your mileage may vary 😉

Regards,
Stephan

jimmy_ford
New Member

Okay I deleted the SA cisco addon but the Cisco security app still doesn't work (the dashboard still shows blank)...

And I still get: Eventtype 'cisco_esa* does not exist or is disabled' I only have asa enabled on the dashboard and the TA on the indexer.

If I go straight to a search: "eventtype=cisco-security-events" events populate.....

If I do this search: "eventtype=cisco-security-events dest_ip!="255.255.255.255" dest_ip!="0.0.0.0" src_ip="*" " I get nothing... weird

0 Karma

swasserroth
Path Finder

OK, probably I have found the root cause: as soon, as I disabled the application "Cisco ASA / PIX / FWSM Dashboards" (SA-cisco-asa), these errors vanished. The newest incarnation of the Cisco Security Suite seems to work without this older SA, maybe it should be de-installed. The embedded link of SA-cisco-asa pointing to the Splunk Apps website leads to a 404 error.

Regards,
Stephan

swasserroth
Path Finder

We are hit by the same problem: after upgrading the Cisco Security Suite from 3.0.3 to 3.1.0 these errors are displayed on any dashboard. Must be directly related to this version of the app...

Regards,
Stephan

jcoates_splunk
Splunk Employee
Splunk Employee

Hi, there's no such lookup in the add-on... can you use btool to find out where the lookup is being referenced? http://docs.splunk.com/Documentation/Splunk/6.2.1/Troubleshooting/Usebtooltotroubleshootconfiguratio...

0 Karma

ppablo
Community Manager
Community Manager

Hi @rubeniturrieta

Are you referring to the Splunk Add-on for Cisco ASA in your post? https://apps.splunk.com/app/1620/

or any other app/add-on?

rubeniturrieta
Communicator

Yes, i'm refering to the Splunk Add-on for Cisco ASA

0 Karma

ppablo
Community Manager
Community Manager

Thanks for clarifying. I just edited your post and tagged it with the official tag for the add-on.

0 Karma

rubeniturrieta
Communicator

Ok, thanks you

0 Karma
Get Updates on the Splunk Community!

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...