Splunk Search

The lookup table 'nix_action_lookup' does not exist. It is referenced by configuration 'IDS

hartfoml
Motivator

Arg this is so frustrating.

I cant find the nix_action_lookup and I can't find the IDS config.

How do i troubleshoot this error.

Is there a btool shortcut to find where this permissions issue is coming from and where the files and config is so I can update permissions.

Arggggg

need help before I go mad and strangler a honey badger

Tags (3)
0 Karma
1 Solution

lukejadamec
Super Champion

I believe nix_action_lookup is defined as vendor_action.csv
Go to Manager>Lookups>Lookup Definitions> and Select All Apps. You should find it in that list.
Set the permissions to Global.

View solution in original post

lukejadamec
Super Champion

I believe nix_action_lookup is defined as vendor_action.csv
Go to Manager>Lookups>Lookup Definitions> and Select All Apps. You should find it in that list.
Set the permissions to Global.

View solution in original post

hartfoml
Motivator

Thanks Luck this was helpful and i am crediting you with the answer although i was on a web-ex with support we were able to solve the permissions problem but we can't quiet say how.

0 Karma

lukejadamec
Super Champion

My fault. You are failing on the Automatic Lookup permissions, not the Lookup Definition permissions.
Make sure Manager>Lookups>Automatic Lookups> permissions are set to global.

hartfoml
Motivator

Luke,

It's so easy when you know where to look. I did find the definition there and it was set to global. I changed the permissions to Read&Write for all and am still getting the error message. I wouldn't think I would have to do anything on the indexers for this. I shouldn't have to have the lookup on the indexer for any reason should I?

Can you help just a little more please.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.