Splunk Search
Highlighted

Receiving error ⚠ The lookup table 'windows_event_descriptions' does not exist. It is referenced by configuration 'source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...'. ?

Explorer

Receiving multiple pop-ups when trying to run a search:

The lookup table 'windows_event_descriptions' does not exist. It is referenced by configuration 'source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...'.

Added the below stanza in metadata/local.meta also metadata/default.meta

[lookups]
export = system

Also, found that the csv "windowseventdescriptions" is not present in the lookups folder of the application.
Do I need to generate a csv? If yes, what fields would the present in the csv?
This is an automatic lookup, so how would Splunk create a automatic lookup?

Re: Receiving error ⚠ The lookup table 'windows_event_descriptions' does not exist. It is referenced by configuration 'source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...'. ?

Explorer

The lookup table 'windowseventdescriptions' does not exist. It is referenced by configuration 'source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...

Have the same issue.

0 Karma
Highlighted

Re: Receiving error ⚠ The lookup table 'windows_event_descriptions' does not exist. It is referenced by configuration 'source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...'. ?

SplunkTrust
SplunkTrust

Hi himapate, I believe the issue is that you need to make the lookup in question available. This seems similar to a previous question : https://answers.splunk.com/answers/298992/how-do-you-resolve-the-error-the-lookup-table-wind.html

The splunk app for windows infrastructure can be found here : https://splunkbase.splunk.com/app/1680/

Installing the app or otherwise extracting the windowseventdescriptions.csv should resolve the issue.

Please let me know if this answers you question! 😄

0 Karma