Hi to everybody,
I have a little problem. I can see in the alert messages, with this text:
1) The lookup table 'networkservice' does not exist. It is referenced by configuration 'cisco:asa'.
2) The lookup table 'networkservice' does not exist. It is referenced by configuration 'cisco:fwsm'.
3) The lookup table 'networkservice' does not exist. It is referenced by configuration 'cisco:pix'.
I have only Cisco ASA Firewall data.
Any help, i'll be very grateful.
Thanks a lot in advance
Rubén
If you don't want to remove SA-cisco-asa, you may want to do a modification in 'SA-cisco-asa/default/transforms.conf' ;
1. create directory 'local' under 'SA-cisco-asa'
2. copy 'default/transforms.conf' to 'local/transforms.conf'
3. add following to 'local/transforms.conf';
[networkservice]
filename = service-names-port-numbers.csv
max_matches = 1
no errors so far...
If you don't want to remove SA-cisco-asa, you may want to do a modification in 'SA-cisco-asa/default/transforms.conf' ;
1. create directory 'local' under 'SA-cisco-asa'
2. copy 'default/transforms.conf' to 'local/transforms.conf'
3. add following to 'local/transforms.conf';
[networkservice]
filename = service-names-port-numbers.csv
max_matches = 1
no errors so far...
I tried this and it works. The error: 'The lookup table 'networkservice' does not exist.' cleared up. I am wondering why when ever there are upgrades to applications we inevitably have to go through and find out what's missing. Thank you trymo for providing this answer.
I tried this workaround as well. It works like a charm.
Thanks trymo for providing this answer.
I had to disable "SA-cisco-asa (3.0.1)" for these 'networkservice' errors to disappear. Didn't disappear from rerunning a search. But once I ran a new search on a new page after disabling the SA add-on. All is well again.
The only related parts I have are:
The firewall dashboards within the Cisco Security Suite all seem to be in working order still.
I have the same issue. The "networkservice" lookup definition is in the Cisco Security Suite App. You can find it when clicking > Settings > Lookups > Lookup Definitions > pull down "App context" to all apps and do the search on the right hand side for "networkservice"
I also have an issue where if I do a search in the Search and Reporting for anything involving my Cisco syslog and get the following: "The lookup table 'networkservice' does not exist. It is referenced by configuration 'cisco:asa'." so it's not just the Cisco Security Suite app affected.
I disabled all the Splunk Cisco add-ons in the Cisco Security Suite app > Help > Setup > Check boxes for all the dashboards. and the SA-cisco-asa and still get errors on the Suite dashboard.
If I go straight to a search: "eventtype=cisco-security-events" events populate.....
If I do this search: "eventtype=cisco-security-events dest_ip!="255.255.255.255" dest_ip!="0.0.0.0" src_ip="*" " I get nothing... wierd
In our case, the following Cisco-ASA-specific things were installed:
- SA-cisco-asa (3.0.1): this was causing the errors after upgrading the Splunk_CiscoSecuritySuit from 3.0.3 to 3.1.0 and therefore is now disabled
- Splunk_TA_cisco-asa (3.2.1)
- Splunk_CiscoSecuritySuite (3.2.1)
With this configuration we do not get any errors regarding table "networkservice", because this table is defined inside the app Splunk_CiscoSecuritySuite (look at default/transforms.conf) and requires service-names-port-numbers.csv, which is located in the app-subdirectory lookups.
IF you have installed SA-cisco-asa (3.0.1), you will find there in the props.conf more references to "networkservice", but the SA-cisco-asa does not define any transforms and does not contain the .csv-file needed -- thus the error.
So far our analysis -- your mileage may vary 😉
Regards,
Stephan
Okay I deleted the SA cisco addon but the Cisco security app still doesn't work (the dashboard still shows blank)...
And I still get: Eventtype 'cisco_esa* does not exist or is disabled' I only have asa enabled on the dashboard and the TA on the indexer.
If I go straight to a search: "eventtype=cisco-security-events" events populate.....
If I do this search: "eventtype=cisco-security-events dest_ip!="255.255.255.255" dest_ip!="0.0.0.0" src_ip="*" " I get nothing... weird
OK, probably I have found the root cause: as soon, as I disabled the application "Cisco ASA / PIX / FWSM Dashboards" (SA-cisco-asa), these errors vanished. The newest incarnation of the Cisco Security Suite seems to work without this older SA, maybe it should be de-installed. The embedded link of SA-cisco-asa pointing to the Splunk Apps website leads to a 404 error.
Regards,
Stephan
We are hit by the same problem: after upgrading the Cisco Security Suite from 3.0.3 to 3.1.0 these errors are displayed on any dashboard. Must be directly related to this version of the app...
Regards,
Stephan
Hi, there's no such lookup in the add-on... can you use btool to find out where the lookup is being referenced? http://docs.splunk.com/Documentation/Splunk/6.2.1/Troubleshooting/Usebtooltotroubleshootconfiguratio...
Hi @rubeniturrieta
Are you referring to the Splunk Add-on for Cisco ASA in your post? https://apps.splunk.com/app/1620/
or any other app/add-on?
Yes, i'm refering to the Splunk Add-on for Cisco ASA
Thanks for clarifying. I just edited your post and tagged it with the official tag for the add-on.
Ok, thanks you