Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

The lookup table 'msdhcp_signature_lookup' does not exist. It is referenced by configuration 'DhcpSrvLog'.

daryl_fallin
Engager
‎08-21-2012 07:56 AM

Getting this error when searching.

The lookup table 'msdhcp_signature_lookup' does not exist. It is referenced by configuration 'DhcpSrvLog'.

The only references I can find for msdhcp_signature_lookup are in the $SPLUNK_HOME/etc/apps/windows/default in props.conf and transforms.conf

I have copied props.conf and transforms.conf into ../local (relative to above dir) and commented out lines referencing msdhcp_signture_lookup

Any suggestions on how to get rid of this error? Or how to track this down?

props.conf

[DhcpSrvLog]
SHOULD_LINEMERGE = false
REPORT-0auto_kv_for_microsoft_dhcp = auto_kv_for_microsoft_dhcp
REPORT-dest_for_microsoft_dhcp = dest_nt_host_as_dest,dest_mac_as_dest,dest_ip_as_dest
#LOOKUP-signature_for_microsoft_dhcp = msdhcp_signature_lookup msdhcp_id OUTPUTNEW signature

tranforms.conf

#[msdhcp_signature_lookup]
#filename = msdhcp_signatures.csv
Reply

daryl_fallin
Engager
‎08-21-2012 08:57 AM

Ok. This is probably not the solution, but I fixed the problem by creating an empty msdhcp_signatures.csv file in the ./lookups directory.

I assume that now that the lookup table (the file) exists, splunk has stopped complaining.

Reply

djbyler
Explorer
‎09-27-2012 10:19 AM

I agree that it is a poor solution, but creating this file did make the error message go away for me. My concern is of course that the file was missing in the first place and that as a result, some functionality is missing or will yield inaccurate/misleading results.

Reply

irievibe
Explorer
‎06-09-2015 05:50 PM

Yet, no other solutions . . .

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...