Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

So many lookups, so many errors : The lookup table `XXX` does not exist.

yannK
Splunk Employee
Splunk Employee
‎09-04-2014 09:21 PM

I have once a while errors with lookups that shows in the UI when searching.

example :

The lookup table 'exploitable_stats_lookup' does not exist. It is referenced by configuration 'exploitable_stats'.

It's always hard to figure where they are coming from, it seems linked to automatic lookups that are global. And every time I upgrade an app or splunk it comes back.
They are many answers about it, can we have a definitive explanation ?

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎09-04-2014 09:48 PM

Here is my compendium of all the common lookups errors :

To work an automatic lookup needs : (on the search-head, and sometimes on the indexer if specified as local)

  1. the lookup file. Verify in the file system in the app, Splunk needs permissions to read it. example : $SPLUNK_HOME/etc/apps/myapp/lookups/mylookup.csv
  2. the lookups > lookup table file in the setting. Make sure that the file (.csv) is linked to a table, verify in which app the lookup is. example : $SPLUNK_HOME/etc/apps//lookups/mylookup.csv in myapp.
  3. the lookups > lookup definition in the settings. It does the mapping of a lookup table to a lookup file (csv) example : mylookup -> $SPLUNK_HOME/etc/apps//lookups/mylookup.csv in myapp.
  4. the lookups > automatic lookups in the settings. The rule to apply the lookup every time an event is matching the condition (usually a sourcetype) example : if sourcetype=mysourcetype, apply the lookup : mylookup mymatchingfield OUTPUT myoutputfield

All are required, and each are using the previous one to be defined. so start to double check them.

for more details, read the docs
http://docs.splunk.com/Documentation/Splunk/6.1.3/Knowledge/Addfieldsfromexternaldatasources

The most frequent errors are :

  • Lookup file is really missing from the disk.

  • Wrong app or multiple apps, each with multiple definitions of the same lookup objects.
    If you have the same lookup in multiple places (thank you redundant TA and SA and apps), the winner (after applying the permissions based on your user) will be local > default, and the alphabetical order of the apps folder name.....

  • correct role permissions :
    for each object table/ definition / automatic lookup you need the read permissions for the role. So if your role cannot see all the pieces, you are gonna have a bad time.
    -> check the permissions, unify them

  • correct app visibility :
    This is a very classic issue, if your lookup is in an app, it should work in this app.
    But if your automatic lookup is global and the table is not you will see errors for not findind the lookup table.
    -> check permissions, and unify them as needed : private or app only or global
    you can do the same in the $SPLUNK_HOME/etc/apps/myapp/metadata/local.meta with export=system.( for global)

Remark, the lookup folder may also need meta.data permissions
Sometimes an app is defined as global by default (the search app), sometimes the settings changes with the splunk versions, so double check.
One of the workaround if to make all lookup files global. (may be risky if you want to contain users per apps)
$SPLUNK_HOME/etc/system/metadata/local.meta
[lookups]
access = read : [ admin, power, user ], write : [ admin, power ]
export = system

More rare errors are linked to the distributed search :

  • the search bundle was not copied to the search-peers, and the lookup or the roles are messed-up Check your bundle replication error messages. In some cases, clean the bundle on the peers, and retry.

View solution in original post

Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎09-04-2014 09:48 PM

Here is my compendium of all the common lookups errors :

To work an automatic lookup needs : (on the search-head, and sometimes on the indexer if specified as local)

  1. the lookup file. Verify in the file system in the app, Splunk needs permissions to read it. example : $SPLUNK_HOME/etc/apps/myapp/lookups/mylookup.csv
  2. the lookups > lookup table file in the setting. Make sure that the file (.csv) is linked to a table, verify in which app the lookup is. example : $SPLUNK_HOME/etc/apps//lookups/mylookup.csv in myapp.
  3. the lookups > lookup definition in the settings. It does the mapping of a lookup table to a lookup file (csv) example : mylookup -> $SPLUNK_HOME/etc/apps//lookups/mylookup.csv in myapp.
  4. the lookups > automatic lookups in the settings. The rule to apply the lookup every time an event is matching the condition (usually a sourcetype) example : if sourcetype=mysourcetype, apply the lookup : mylookup mymatchingfield OUTPUT myoutputfield

All are required, and each are using the previous one to be defined. so start to double check them.

for more details, read the docs
http://docs.splunk.com/Documentation/Splunk/6.1.3/Knowledge/Addfieldsfromexternaldatasources

The most frequent errors are :

  • Lookup file is really missing from the disk.

  • Wrong app or multiple apps, each with multiple definitions of the same lookup objects.
    If you have the same lookup in multiple places (thank you redundant TA and SA and apps), the winner (after applying the permissions based on your user) will be local > default, and the alphabetical order of the apps folder name.....

  • correct role permissions :
    for each object table/ definition / automatic lookup you need the read permissions for the role. So if your role cannot see all the pieces, you are gonna have a bad time.
    -> check the permissions, unify them

  • correct app visibility :
    This is a very classic issue, if your lookup is in an app, it should work in this app.
    But if your automatic lookup is global and the table is not you will see errors for not findind the lookup table.
    -> check permissions, and unify them as needed : private or app only or global
    you can do the same in the $SPLUNK_HOME/etc/apps/myapp/metadata/local.meta with export=system.( for global)

Remark, the lookup folder may also need meta.data permissions
Sometimes an app is defined as global by default (the search app), sometimes the settings changes with the splunk versions, so double check.
One of the workaround if to make all lookup files global. (may be risky if you want to contain users per apps)
$SPLUNK_HOME/etc/system/metadata/local.meta
[lookups]
access = read : [ admin, power, user ], write : [ admin, power ]
export = system

More rare errors are linked to the distributed search :

  • the search bundle was not copied to the search-peers, and the lookup or the roles are messed-up Check your bundle replication error messages. In some cases, clean the bundle on the peers, and retry.
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...