The lookup table 'msdhcp_signature_lookup' does no...

daryl_fallin · ‎08-21-2012

Getting this error when searching.

The lookup table 'msdhcp_signature_lookup' does not exist. It is referenced by configuration 'DhcpSrvLog'.

The only references I can find for msdhcp_signature_lookup are in the $SPLUNK_HOME/etc/apps/windows/default in props.conf and transforms.conf

I have copied props.conf and transforms.conf into ../local (relative to above dir) and commented out lines referencing msdhcp_signture_lookup

Any suggestions on how to get rid of this error? Or how to track this down?

props.conf

[DhcpSrvLog]
SHOULD_LINEMERGE = false
REPORT-0auto_kv_for_microsoft_dhcp = auto_kv_for_microsoft_dhcp
REPORT-dest_for_microsoft_dhcp = dest_nt_host_as_dest,dest_mac_as_dest,dest_ip_as_dest
#LOOKUP-signature_for_microsoft_dhcp = msdhcp_signature_lookup msdhcp_id OUTPUTNEW signature

tranforms.conf

#[msdhcp_signature_lookup]
#filename = msdhcp_signatures.csv

daryl_fallin · ‎08-21-2012

Ok. This is probably not the solution, but I fixed the problem by creating an empty msdhcp_signatures.csv file in the ./lookups directory.

I assume that now that the lookup table (the file) exists, splunk has stopped complaining.

djbyler · ‎09-27-2012

I agree that it is a poor solution, but creating this file did make the error message go away for me. My concern is of course that the file was missing in the first place and that as a result, some functionality is missing or will yield inaccurate/misleading results.

irievibe · ‎06-09-2015

Yet, no other solutions . . .