Splunk Search

Lookup Issues - windows_name_lookup does not exist

New Member


Some background,

We have Splunk 4.1.4 on Redhat Linux. We also have the PCI Compliance Suite Installed

Everytime I login I get the red error bar complaining about a lookup issue. I did see another similar 'Answer' but it wasn't quite the same issue. I am fairly new to splunk so here is what I have found so far.

From the logs;

ERROR LookupOperator - The lookup table 'windows_name_lookup' does not exist. It is referenced by configuration 'source::(MonitorWare|Snare|WinEventLog)...'.

The word windows_name_lookup is found in these files;

[root@splunk opt]# grep -R windows_name_lookup *|more
splunk/etc/apps/SKB-windows/default/props.conf:LOOKUP-name_for_windows = windows_name_lookup signature_id OUTPUT name
splunk/etc/apps/SKB-windows/default/props.conf:LOOKUP-name_for_windows2 = windows_name_lookup2 signature_id,Sub_Status OUTPUTNEW name

I can see the lookup table is referenced with the following;



Those files do exist on my system;

[root@splunk opt]# find . -name 'windows_names.csv'
[root@splunk opt]# find . -name 'windows_names_substatus.csv'

Any help would be appreciated..


Tags (1)
0 Karma

Splunk Employee
Splunk Employee

You probably need to make sure the lookup (or all lookups) are exported from the SKB-windows app to global. This is a bug in the app that it isn't. You can do this either in the Manager GUI, or you can add to SKB-windows/metadata/local.meta this:

export = system

New Member

I tried this with no luck. The GUI also shows the loonkup as "Sharing - Global"

0 Karma
Get Updates on the Splunk Community!

Tips & Tricks When Using Ingest Actions

Tune in to learn about:Large scale architecture when using Ingest ActionsRegEx performance considerations ...

Announcing Our Splunk MVPs

We are excited to announce the first cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...