Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Receiving error ⚠ The lookup table 'windows_event_descriptions' does not exist. It is referenced by configuration 'source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...'. ?

himapate
Explorer
‎01-28-2016 04:58 AM

Receiving multiple pop-ups when trying to run a search:

The lookup table 'windows_event_descriptions' does not exist. It is referenced by configuration 'source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...'.

Added the below stanza in metadata/local.meta also metadata/default.meta

[lookups]
export = system

Also, found that the csv "windows_event_descriptions" is not present in the lookups folder of the application.
Do I need to generate a csv? If yes, what fields would the present in the csv?
This is an automatic lookup, so how would Splunk create a automatic lookup?

Reply

muebel
SplunkTrust
SplunkTrust
‎03-02-2016 07:37 AM

Hi himapate, I believe the issue is that you need to make the lookup in question available. This seems similar to a previous question : https://answers.splunk.com/answers/298992/how-do-you-resolve-the-error-the-lookup-table-wind.html

The splunk app for windows infrastructure can be found here : https://splunkbase.splunk.com/app/1680/

Installing the app or otherwise extracting the windows_event_descriptions.csv should resolve the issue.

Please let me know if this answers you question! 😄

0 Karma
Reply

SGun
Explorer
‎03-02-2016 05:53 AM

The lookup table 'windows_event_descriptions' does not exist. It is referenced by configuration 'source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...

Have the same issue.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...