- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Why am I getting error "The lookup table 'mylo...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why am I getting error "The lookup table 'mylookuptable' does not exist. It is referenced by configuration 'my_lookuptype'"?
I have this data below and I want a flow chart of start time and end time on the x-axis and cmd1, cmd2......on the y-axis.
03-25-2015 03:04:31.189, cmd1 = Start_time_of_if
03-25-2015 03:09:31.189, cmd1 = end_time_of_if
03-25-2015 03:12:31.189, cmd2 = Start_time_of_if
03-25-2015 03:17:31.189, cmd2 = end_time_of_if
03-25-2015 03:20:31.189, cmd3 = Start_time_of_grep
03-25-2015 03:24:31.189, cmd3 = end_time_of_grep
03-25-2015 03:27:31.189, cmd4 = Start_time_of_if
03-25-2015 03:32:31.189, cmd4 = end_time_of_if
03-25-2015 03:38:31.189, cmd5 = Start_time_of_sed_command
03-25-2015 03:42:31.189, cmd5 = end_time_of_sed_command
03-25-2015 03:49:31.189, cmd6 = Start_time_of_if
03-25-2015 03:55:31.189, cmd6 = End_time_of_if
Can you please help me solve this question?
I used this search:
|rex field=_raw "^(?P[^ ]+)\s+,\s+(?P\w+)\s+=\s+(?P\w+\s+\w+) of (?P.+)"|eval start_time=if(status="Start time",Time,"")|eval end_time=if(status="end time" OR status="End time",Time,"")|table cmd_name,command,start_time,end_time|stats max(start_time) as start_time,max(end_time) as end_time by cmd_name,command
but I'm getting an error:
The lookup table 'mylookuptable' does not exist. It is referenced by configuration 'my_lookuptype'.
and I've done some configurations for this. Can u please give guidance on how to solve this question?Thank UUUUUUUUUUUUUUUUUUUUU
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In case you haven't got the answer for it: I faced the similar issue yesterday when I try to configure props.conf in the local directory. I copied everything from props.conf.example ( http://docs.splunk.com/Documentation/Splunk/7.1.1/Admin/Propsconf ) and there we have :
# The following example shows how to configure lookup tables
[my_lookuptype]
LOOKUP-foo = mylookuptable userid AS myuserid OUTPUT username AS myusername
which was the root cause of this issue. I disabled it (put # in front of these lines) and restarted Splunk. Everything is working fine now. I am writing here to help someone who might face the same issue with Splunk 7x.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ya permissions have for that @stephane_cyrille
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i can't help you if i don't have your files. can you send it me?
this my address tiwa.romuald@yahoo.fr
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
check the lookup table permissions.
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
