Splunk Search

So many lookups, so many errors : The lookup table `XXX` does not exist.

yannK
Splunk Employee
Splunk Employee

I have once a while errors with lookups that shows in the UI when searching.

example :

The lookup table 'exploitable_stats_lookup' does not exist. It is referenced by configuration 'exploitable_stats'.

It's always hard to figure where they are coming from, it seems linked to automatic lookups that are global. And every time I upgrade an app or splunk it comes back.
They are many answers about it, can we have a definitive explanation ?

Tags (1)
1 Solution

yannK
Splunk Employee
Splunk Employee

Here is my compendium of all the common lookups errors :

To work an automatic lookup needs : (on the search-head, and sometimes on the indexer if specified as local)

  1. the lookup file. Verify in the file system in the app, Splunk needs permissions to read it. example : $SPLUNK_HOME/etc/apps/myapp/lookups/mylookup.csv
  2. the lookups > lookup table file in the setting. Make sure that the file (.csv) is linked to a table, verify in which app the lookup is. example : $SPLUNK_HOME/etc/apps//lookups/mylookup.csv in myapp.
  3. the lookups > lookup definition in the settings. It does the mapping of a lookup table to a lookup file (csv) example : mylookup -> $SPLUNK_HOME/etc/apps//lookups/mylookup.csv in myapp.
  4. the lookups > automatic lookups in the settings. The rule to apply the lookup every time an event is matching the condition (usually a sourcetype) example : if sourcetype=mysourcetype, apply the lookup : mylookup mymatchingfield OUTPUT myoutputfield

All are required, and each are using the previous one to be defined. so start to double check them.

for more details, read the docs
http://docs.splunk.com/Documentation/Splunk/6.1.3/Knowledge/Addfieldsfromexternaldatasources


The most frequent errors are :

  • Lookup file is really missing from the disk.

  • Wrong app or multiple apps, each with multiple definitions of the same lookup objects.
    If you have the same lookup in multiple places (thank you redundant TA and SA and apps), the winner (after applying the permissions based on your user) will be local > default, and the alphabetical order of the apps folder name.....

  • correct role permissions :
    for each object table/ definition / automatic lookup you need the read permissions for the role. So if your role cannot see all the pieces, you are gonna have a bad time.
    -> check the permissions, unify them

  • correct app visibility :
    This is a very classic issue, if your lookup is in an app, it should work in this app.
    But if your automatic lookup is global and the table is not you will see errors for not findind the lookup table.
    -> check permissions, and unify them as needed : private or app only or global
    you can do the same in the $SPLUNK_HOME/etc/apps/myapp/metadata/local.meta with export=system.( for global)

Remark, the lookup folder may also need meta.data permissions
Sometimes an app is defined as global by default (the search app), sometimes the settings changes with the splunk versions, so double check.
One of the workaround if to make all lookup files global. (may be risky if you want to contain users per apps)
$SPLUNK_HOME/etc/system/metadata/local.meta
[lookups]
access = read : [ admin, power, user ], write : [ admin, power ]
export = system

More rare errors are linked to the distributed search :

  • the search bundle was not copied to the search-peers, and the lookup or the roles are messed-up Check your bundle replication error messages. In some cases, clean the bundle on the peers, and retry.

View solution in original post

yannK
Splunk Employee
Splunk Employee

Here is my compendium of all the common lookups errors :

To work an automatic lookup needs : (on the search-head, and sometimes on the indexer if specified as local)

  1. the lookup file. Verify in the file system in the app, Splunk needs permissions to read it. example : $SPLUNK_HOME/etc/apps/myapp/lookups/mylookup.csv
  2. the lookups > lookup table file in the setting. Make sure that the file (.csv) is linked to a table, verify in which app the lookup is. example : $SPLUNK_HOME/etc/apps//lookups/mylookup.csv in myapp.
  3. the lookups > lookup definition in the settings. It does the mapping of a lookup table to a lookup file (csv) example : mylookup -> $SPLUNK_HOME/etc/apps//lookups/mylookup.csv in myapp.
  4. the lookups > automatic lookups in the settings. The rule to apply the lookup every time an event is matching the condition (usually a sourcetype) example : if sourcetype=mysourcetype, apply the lookup : mylookup mymatchingfield OUTPUT myoutputfield

All are required, and each are using the previous one to be defined. so start to double check them.

for more details, read the docs
http://docs.splunk.com/Documentation/Splunk/6.1.3/Knowledge/Addfieldsfromexternaldatasources


The most frequent errors are :

  • Lookup file is really missing from the disk.

  • Wrong app or multiple apps, each with multiple definitions of the same lookup objects.
    If you have the same lookup in multiple places (thank you redundant TA and SA and apps), the winner (after applying the permissions based on your user) will be local > default, and the alphabetical order of the apps folder name.....

  • correct role permissions :
    for each object table/ definition / automatic lookup you need the read permissions for the role. So if your role cannot see all the pieces, you are gonna have a bad time.
    -> check the permissions, unify them

  • correct app visibility :
    This is a very classic issue, if your lookup is in an app, it should work in this app.
    But if your automatic lookup is global and the table is not you will see errors for not findind the lookup table.
    -> check permissions, and unify them as needed : private or app only or global
    you can do the same in the $SPLUNK_HOME/etc/apps/myapp/metadata/local.meta with export=system.( for global)

Remark, the lookup folder may also need meta.data permissions
Sometimes an app is defined as global by default (the search app), sometimes the settings changes with the splunk versions, so double check.
One of the workaround if to make all lookup files global. (may be risky if you want to contain users per apps)
$SPLUNK_HOME/etc/system/metadata/local.meta
[lookups]
access = read : [ admin, power, user ], write : [ admin, power ]
export = system

More rare errors are linked to the distributed search :

  • the search bundle was not copied to the search-peers, and the lookup or the roles are messed-up Check your bundle replication error messages. In some cases, clean the bundle on the peers, and retry.
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...