- Community
- :
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Why am I getting error "The lookup table 'mylo...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why am I getting error "The lookup table 'mylookuptable' does not exist. It is referenced by configuration 'my_lookuptype'"?
I have this data below and I want a flow chart of start time and end time on the x-axis and cmd1, cmd2......on the y-axis.
03-25-2015 03:04:31.189, cmd1 = Start_time_of_if
03-25-2015 03:09:31.189, cmd1 = end_time_of_if
03-25-2015 03:12:31.189, cmd2 = Start_time_of_if
03-25-2015 03:17:31.189, cmd2 = end_time_of_if
03-25-2015 03:20:31.189, cmd3 = Start_time_of_grep
03-25-2015 03:24:31.189, cmd3 = end_time_of_grep
03-25-2015 03:27:31.189, cmd4 = Start_time_of_if
03-25-2015 03:32:31.189, cmd4 = end_time_of_if
03-25-2015 03:38:31.189, cmd5 = Start_time_of_sed_command
03-25-2015 03:42:31.189, cmd5 = end_time_of_sed_command
03-25-2015 03:49:31.189, cmd6 = Start_time_of_if
03-25-2015 03:55:31.189, cmd6 = End_time_of_if
Can you please help me solve this question?
I used this search:
|rex field=_raw "^(?P[^ ]+)\s+,\s+(?P\w+)\s+=\s+(?P\w+\s+\w+) of (?P.+)"|eval start_time=if(status="Start time",Time,"")|eval end_time=if(status="end time" OR status="End time",Time,"")|table cmd_name,command,start_time,end_time|stats max(start_time) as start_time,max(end_time) as end_time by cmd_name,command
but I'm getting an error:
The lookup table 'mylookuptable' does not exist. It is referenced by configuration 'my_lookuptype'.
and I've done some configurations for this. Can u please give guidance on how to solve this question?Thank UUUUUUUUUUUUUUUUUUUUU
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In case you haven't got the answer for it: I faced the similar issue yesterday when I try to configure props.conf in the local directory. I copied everything from props.conf.example ( http://docs.splunk.com/Documentation/Splunk/7.1.1/Admin/Propsconf ) and there we have :
# The following example shows how to configure lookup tables
[my_lookuptype]
LOOKUP-foo = mylookuptable userid AS myuserid OUTPUT username AS myusername
which was the root cause of this issue. I disabled it (put # in front of these lines) and restarted Splunk. Everything is working fine now. I am writing here to help someone who might face the same issue with Splunk 7x.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ya permissions have for that @stephane_cyrille
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i can't help you if i don't have your files. can you send it me?
this my address tiwa.romuald@yahoo.fr
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
check the lookup table permissions.
Streamline Data Ingestion With Deployment Server Essentials
Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...
Introduction to Splunk AI
