Hi,

Some background,

We have Splunk 4.1.4 on Redhat Linux. We also have the PCI Compliance Suite Installed

Everytime I login I get the red error bar complaining about a lookup issue. I did see another similar 'Answer' but it wasn't quite the same issue. I am fairly new to splunk so here is what I have found so far.

From the logs;

ERROR LookupOperator - The lookup table 'windows_name_lookup' does not exist. It is referenced by configuration 'source::(MonitorWare|Snare|WinEventLog)...'.

The word windows_name_lookup is found in these files;

[root@splunk opt]# grep -R windows_name_lookup *|more
splunk/etc/apps/SKB-windows/default/transforms.conf:[windows_name_lookup]
splunk/etc/apps/SKB-windows/default/transforms.conf:[windows_name_lookup2]
splunk/etc/apps/SKB-windows/default/props.conf:LOOKUP-name_for_windows = windows_name_lookup signature_id OUTPUT name
splunk/etc/apps/SKB-windows/default/props.conf:LOOKUP-name_for_windows2 = windows_name_lookup2 signature_id,Sub_Status OUTPUTNEW name
splunk/etc/apps/SKB-windows/local/transforms.conf:[windows_name_lookup]
splunk/etc/apps/SKB-windows/local/transforms.conf:[windows_name_lookup2]

I can see the lookup table is referenced with the following;

[windows_name_lookup]
filename=windows_names.csv

[windows_name_lookup2]
filename=windows_names_substatus.csv

Those files do exist on my system;

[root@splunk opt]# find . -name 'windows_names.csv'
./splunk/etc/apps/SKB-windows/lookups/windows_names.csv
[root@splunk opt]# find . -name 'windows_names_substatus.csv'
./splunk/etc/apps/SKB-windows/lookups/windows_names_substatus.csv

Any help would be appreciated..

Josh