Solved: Splunk App for Unix and Linux errors with configur...

blindauer · ‎07-28-2014

I've just installed the Splunk App for *Nix. The indexer/forwarder that it is on is Windows based, running splunk 6. I have 1 redhat linux box configured with the add-on and the universal forwarder to send to this box. When I navigate to the Splunk for Nix app, i get the following error messages:

The lookup table 'nix_action_lookup' does not exist. It is referenced by configuration 'syslog'.

The lookup table 'nix_action_lookup' does not exist. It is referenced by configuration 'osx_secure'.

The lookup table 'nix_action_lookup' does not exist. It is referenced by configuration 'linux_secure'.

The lookup table 'nix_action_lookup' does not exist. It is referenced by configuration 'aix_secure'.

The lookup table 'linux_service_startmode_lookup' does not exist. It is referenced by configuration 'source::...(Linux|Unix):Service'.

The lookup table 'fs_notification_change_type_lookup' does not exist. It is referenced by configuration 'fs_notification'.

The lookup table 'endpoint_change_vendor_action_lookup' does not exist. It is referenced by configuration 'fs_notification'.

The lookup table 'endpoint_change_status_lookup' does not exist. It is referenced by configuration 'fs_notification'.

The lookup table 'endpoint_change_object_category_lookup' does not exist. It is referenced by configuration 'fs_notification'.

The lookup table 'da_version_range_lookup' does not exist. It is referenced by configuration 'source::...(AIX|FreeBSD|HPUX|Linux|OSX|Solaris|Unix):Version'.

The lookup table 'da_update_status_lookup' does not exist. It is referenced by configuration 'source::...(AIX|FreeBSD|HPUX|Linux|OSX|Solaris|Unix):Update'.

Here's a screenshot (i62.tinypic.com/1qo310.png) of the error.

A bit of googling around hasn't shown me anything useful. I've re-installed twice and am still having the same issue.
The installation and configuration instructions are a bit fuzzy on some details, so maybe I'm missing something.
Also, instructions talk about configuring the Add-on on the search head/indexer. When trying to set it up I get an error message telling me that since its not on linux/unix there are no config options available.

Can anyone tell me what I'm missing here? I'm a bit stumped.
Thanks.

araitz · ‎07-28-2014

The problem is that the SA-nix and/or Splunk_TA_nix aren't being installed properly. You might have more than 30 apps on your system and be running Splunk 6.1. The workaround is to copy SA-nix and Splunk_TA_nix from splunk_app_for_nix/install into your $SPLUNK_HOME/etc/apps directory and restart Splunk.

View solution in original post

araitz · ‎07-28-2014

The problem is that the SA-nix and/or Splunk_TA_nix aren't being installed properly. You might have more than 30 apps on your system and be running Splunk 6.1. The workaround is to copy SA-nix and Splunk_TA_nix from splunk_app_for_nix/install into your $SPLUNK_HOME/etc/apps directory and restart Splunk.

blindauer · ‎07-29-2014

Well I didn't have more than 30 apps, but I'm on splunk 6.1.
You were 100% right with your diagnosis and solution. Manually installing the two supporting apps completely fixed it!
You're amazing, Thanks!

Splunk App for Unix and Linux errors with configuration

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk