Splunk Search

Cisco Firewalls/IPS apps update, now I get lookup table error

awsdcuser
Explorer

I recently updated Cisco Firewalls and Cisco IPS apps to the latest versions (2.0 and 2.0.0). Now when I perform a search I receive errors similar to this: "The lookup table 'err_code_lookup' does not exist. It is referenced by configuration 'diff text here'."

From some investigating, it looks like it is looking for a non-existing file. I appreciate any help on how to obtain this file or fix this error.

Thanks.

Tags (1)
1 Solution

awsdcuser
Explorer

Splunk provided the missing file.

View solution in original post

AWDItTech
New Member

I managed to find a difference between the file event_codes.csv in the (Splunk_CiscoSecuritySuite/lookups + Splunk_CiscoFirewalls/lookups) & the TA-cisco_asa/lookups.

The TA-cisco_asa had the first line as
log_level_desc,log_level,errorcode,event_desc
instead of
log_level_desc,log_level,error_code,event_desc
Problem fixed by copying over the file, or you could edit it

0 Karma

awsdcuser
Explorer

Splunk provided the missing file.

rpetrini
Engager

I uninstalled and reinstalled without the upgrade option. I still do not have the file. I am using the firewall app. Where do I get the file?

0 Karma

awsdcuser
Explorer

Did you perform an upgrade from a previous version to 2.0.0? If so the way I fixed it was to remove the app and then do a fresh install of the 2.0.0 (not an upgrade).

0 Karma

srich
Explorer

I see this was marked as the answer but how do the rest of us get the file?

0 Karma

awsdcuser
Explorer

For me it was a problem when performing the upgrade for both apps. For the firewall app I had talked with a Splunk engineer who provided the missing file. For the IPS app I removed the app and then installed it from the current 2.0.0 version (no upgrading) and it works.

arozar
Explorer

Where can I get this file? I too am receiving this message now.

0 Karma
Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...