Splunk Search

Receiving error ⚠ The lookup table 'windows_event_descriptions' does not exist. It is referenced by configuration 'source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...'. ?

himapate
Explorer

Receiving multiple pop-ups when trying to run a search:

The lookup table 'windows_event_descriptions' does not exist. It is referenced by configuration 'source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...'.

Added the below stanza in metadata/local.meta also metadata/default.meta

[lookups]
export = system

Also, found that the csv "windows_event_descriptions" is not present in the lookups folder of the application.
Do I need to generate a csv? If yes, what fields would the present in the csv?
This is an automatic lookup, so how would Splunk create a automatic lookup?

muebel
SplunkTrust
SplunkTrust

Hi himapate, I believe the issue is that you need to make the lookup in question available. This seems similar to a previous question : https://answers.splunk.com/answers/298992/how-do-you-resolve-the-error-the-lookup-table-wind.html

The splunk app for windows infrastructure can be found here : https://splunkbase.splunk.com/app/1680/

Installing the app or otherwise extracting the windows_event_descriptions.csv should resolve the issue.

Please let me know if this answers you question! 😄

0 Karma

SGun
Explorer

The lookup table 'windows_event_descriptions' does not exist. It is referenced by configuration 'source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...

Have the same issue.

0 Karma
Get Updates on the Splunk Community!

Edge Processor | New Resiliency Improvements & Support for Additional Data Sources

We are excited to announce several exciting updates for Edge Processor aimed at hardening overall product ...

Splunk Certification Support Alert | Pearson VUE Outage

Splunk Certification holders and candidates!  Please be advised of an upcoming system maintenance period for ...

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...