- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Why am I getting "The lookup table '...' does ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why am I getting "The lookup table '...' does not exist." errors after upgrading from Splunk 6.0.1 to 6.2.1?
These are the errors I am getting:
The lookup table 'endpoint_change_object_category_lookup' does not exist. It is referenced by configuration 'WinRegistry'.
The lookup table 'endpoint_change_object_category_lookup' does not exist. It is referenced by configuration 'fs_notification'.
The lookup table 'endpoint_change_status_lookup' does not exist. It is referenced by configuration 'WinRegistry'.
The lookup table 'endpoint_change_status_lookup' does not exist. It is referenced by configuration 'fs_notification'.
The lookup table 'endpoint_change_user_type_lookup' does not exist. It is referenced by configuration 'WinRegistry'.
The lookup table 'endpoint_change_vendor_action_lookup' does not exist. It is referenced by configuration 'WinRegistry'.
The lookup table 'endpoint_change_vendor_action_lookup' does not exist. It is referenced by configuration 'fs_notification'.
The lookup table 'fs_notification_change_type_lookup' does not exist. It is referenced by configuration 'fs_notification'.
The lookup table 'msdhcp_signature_lookup' does not exist. It is referenced by configuration 'DhcpSrvLog'.
The lookup table 'windows_event_descriptions' does not exist. It is referenced by configuration 'source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...'.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The best way I found is to go to the /etc/apps directory and run:
grep -r "lookup-file-causing-error" *
This will find all instances. You can then disable or uninstall whichever app is associated to confirm the error messages go away. That at least allows you to focus on which lookup is broken.
In my case, it was due to uninstalling the TA_SalesForce, but the Splunk App for Salesforce was still installed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I faced the same issue as well after I upgraded to 6.2.1, and I found the difference between old version and the new one is the reference to csv lookup file in props.conf.
In 6.0.1 props.conf
[sourcetype]
LOOKUP-test_lookup = test_lookup_file field_1 OUTPUT new_field
In 6.2.1 props.conf
[sourcetype]
LOOKUP-test_lookup = test_lookup_file.csv field_1 OUTPUT new_field
The difference is that the extension of lookup file should be added.
Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Adding the extension changes the meaning - with .csv, you're referring to a lookup file stored in some /lookups directory; without .csv, you're referring to a lookup definition stored in transforms.conf.
If adding .csv fixes things for you, it really means your lookup definition is broken, not shared correctly, not named properly, etc.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Martin for the heads up, yes I forgot to define my lookups in the transforms.conf in my new installation.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check the owner & permissions of the lookups and the user splund process is running as. .../etc/apps/Splunk_TA_nix/lookups
You might want to recursively chown all your splunk directories
chown -Rf splunkUser:splunkGroup ....
My guess is someone ran splunkd as root when upgrading and root took ownership of several files, etc. Or something similar.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Some of those lookups sound as if they come from the Splunk *nix app (https://splunkbase.splunk.com/app/273/), so check in .../etc/apps/Splunk_TA_nix/lookups that they exist and that your splunk user has correct permissions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the same problem. Search head and index cluster, both have the appropriate bits installed (App, SA, and/or TA - SA and TA from the app/install directory) as specified by the instructions but I get this error from every index cluster member on every search. It seems like I didn't start seeing this error until upgrading from 6.3.0 to 6.3.1 on clustered hosts.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
...make sure those lookup configurations are correct and the lookups actually exist?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the quick answer....I am new to splunk. What we had worked in 6.0.1 and not 6.2.1. Where would I start looking at?
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
