Solved: ESS error with conf 'oracle' lookup table 'oracle...

xuanyun · ‎09-15-2013

Dear expert:

When I installed ESS, I found a ERROR on the top of splunk's web.

Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'oracle' and lookup table 'oracle_action_lookup'.

I didn't do any change.
How can I solve it?

LukeMurphey · ‎09-16-2013

'oracle_action_lookup' is part of TA-oracle and it is used for converting the action field provided from Oracle to a Common Information Model equivalent.

I cannot figure out why you would see this error because the props.conf entry only looks up one field so is should work:

[oracle]
...
LOOKUP-action_for_oracle_auth = oracle_action_lookup ACTION OUTPUTNEW action

I recommend opening a support case and providing a diag. Support should be able to identify the problem fairly quickly with a diag.

View solution in original post

LukeMurphey · ‎09-16-2013

'oracle_action_lookup' is part of TA-oracle and it is used for converting the action field provided from Oracle to a Common Information Model equivalent.

I cannot figure out why you would see this error because the props.conf entry only looks up one field so is should work:

[oracle]
...
LOOKUP-action_for_oracle_auth = oracle_action_lookup ACTION OUTPUTNEW action

I recommend opening a support case and providing a diag. Support should be able to identify the problem fairly quickly with a diag.

ESS error with conf 'oracle' lookup table 'oracle_action_lookup'

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk