Splunk Search
Highlighted

Lookup Issues - windows_name_lookup does not exist

New Member

Hi,

Some background,

We have Splunk 4.1.4 on Redhat Linux. We also have the PCI Compliance Suite Installed

Everytime I login I get the red error bar complaining about a lookup issue. I did see another similar 'Answer' but it wasn't quite the same issue. I am fairly new to splunk so here is what I have found so far.

From the logs;

ERROR LookupOperator - The lookup table 'windows_name_lookup' does not exist. It is referenced by configuration 'source::(MonitorWare|Snare|WinEventLog)...'.

The word windows_name_lookup is found in these files;

[root@splunk opt]# grep -R windows_name_lookup *|more
splunk/etc/apps/SKB-windows/default/transforms.conf:[windows_name_lookup]
splunk/etc/apps/SKB-windows/default/transforms.conf:[windows_name_lookup2]
splunk/etc/apps/SKB-windows/default/props.conf:LOOKUP-name_for_windows = windows_name_lookup signature_id OUTPUT name
splunk/etc/apps/SKB-windows/default/props.conf:LOOKUP-name_for_windows2 = windows_name_lookup2 signature_id,Sub_Status OUTPUTNEW name
splunk/etc/apps/SKB-windows/local/transforms.conf:[windows_name_lookup]
splunk/etc/apps/SKB-windows/local/transforms.conf:[windows_name_lookup2]

I can see the lookup table is referenced with the following;

[windows_name_lookup]
filename=windows_names.csv

[windows_name_lookup2]
filename=windows_names_substatus.csv

Those files do exist on my system;

[root@splunk opt]# find . -name 'windows_names.csv'
./splunk/etc/apps/SKB-windows/lookups/windows_names.csv
[root@splunk opt]# find . -name 'windows_names_substatus.csv'
./splunk/etc/apps/SKB-windows/lookups/windows_names_substatus.csv

Any help would be appreciated..

Josh

Tags (1)
0 Karma
Highlighted

Re: Lookup Issues - windows_name_lookup does not exist

Legend

You probably need to make sure the lookup (or all lookups) are exported from the SKB-windows app to global. This is a bug in the app that it isn't. You can do this either in the Manager GUI, or you can add to SKB-windows/metadata/local.meta this:

[lookups]
export = system
Highlighted

Re: Lookup Issues - windows_name_lookup does not exist

New Member

I tried this with no luck. The GUI also shows the loonkup as "Sharing - Global"

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.