Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

LookupOperator errors on a forwarder?

Lowell
Super Champion
‎11-30-2010 10:25 PM

I've started to see the following messages from some of my forwarding instances of splunk:

11-30-2010 16:50:02.355 ERROR LookupOperator - The lookup table 'sqlagent_jobs' does not exist. It is referenced by configuration 'mssql_processes'.

This error is somewhat correct. I do have "sqlagent_jobs" defined in transforms.conf, but the sqlagent_jobs.csv is missing on the forwarder's app. What I'm trying to figure out is why the forwarder cares.

I'm familiar with getting these LookupOperator errors on the search-head (and interactively) when I forget part of the lookup configuration or have some kind of permissions issue--but I thought that was strictly caused by running a search. On my forwarders, there are no running searches. (I use heavy-weight forwarders, so it's possible to run search on them; but there's no locally indexed data to search; and I see no entries in searches.log or scheduler.log so I don't think that's the case, but I could be missing something.)

Does anyone know what else would trigger this error?

(As a work around, I'm commenting out the LOOKUP-* entries in my deployment-apps app for the moment, but I don't want to have to maintain two versions of my app if I don't have too. I use the same app on the search-head and on my forwarders)

Reply

kamal_jagga
Contributor
‎01-16-2018 01:21 PM

Check if there was any Windows/OS upgrade/update on the Server.

Restarting the RPC Server of dbconnect and Splunk restart should fix the issue.

0 Karma
Reply

kamal_jagga
Contributor
‎01-16-2018 11:57 AM

I am also getting the same error on my dbconnect windows server. This started coming over the weekend and no changes were made to any file or config.
Kindly advise.

0 Karma
Reply

steveyz
Splunk Employee
Splunk Employee
‎01-06-2011 06:37 PM

I'm guessing there are actually searches being run on your heavyweight forwarders. By default I believe we have scheduled searches that run that populate various status dashboards and it may be these searches that are triggering the error.

0 Karma
Reply

steveyz
Splunk Employee
Splunk Employee
‎01-12-2011 04:29 AM

Hmm, do you ever hit the UI on your forwarders?

0 Karma
Reply

Lowell
Super Champion
‎01-06-2011 07:18 PM

I think I disabled all the of internal searches for this very reason. But supposing I missed one, can you think of any reasons why I'm not seeing anything logged in searches.log, scheduler.log (both of these are 0 bytes on the forwarder), audit.log has nothing about running searches, and there's nothing in dispatch folder. Is there anything else I should look for?

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

The Payment Operations Wake-Up Call: Why Financial Institutions Can't Afford ...

The same scenario plays out across financial institutions daily. A payment system fails at 11:30 AM on a busy ...

Make Your Case: A Ready-to-Send Letter for Getting Approval to Attend .conf25

Hello Splunkers, Want to attend .conf25 in Boston this year but not sure how to convince your manager? We've ...

Community Spotlight: A Splunk Expert's Journey

In the world of data analytics, some journeys leave a lasting impact not only on the individual but on the ...
Top