Splunk Search

Why am I getting "The lookup table '...' does not exist." errors after upgrading from Splunk 6.0.1 to 6.2.1?

New Member

These are the errors I am getting:

The lookup table 'endpoint_change_object_category_lookup' does not exist. It is referenced by configuration 'WinRegistry'.
 The lookup table 'endpoint_change_object_category_lookup' does not exist. It is referenced by configuration 'fs_notification'.
 The lookup table 'endpoint_change_status_lookup' does not exist. It is referenced by configuration 'WinRegistry'.
 The lookup table 'endpoint_change_status_lookup' does not exist. It is referenced by configuration 'fs_notification'.
 The lookup table 'endpoint_change_user_type_lookup' does not exist. It is referenced by configuration 'WinRegistry'.
 The lookup table 'endpoint_change_vendor_action_lookup' does not exist. It is referenced by configuration 'WinRegistry'.
 The lookup table 'endpoint_change_vendor_action_lookup' does not exist. It is referenced by configuration 'fs_notification'.
 The lookup table 'fs_notification_change_type_lookup' does not exist. It is referenced by configuration 'fs_notification'.
 The lookup table 'msdhcp_signature_lookup' does not exist. It is referenced by configuration 'DhcpSrvLog'.
 The lookup table 'windows_event_descriptions' does not exist. It is referenced by configuration 'source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...'.
0 Karma

Path Finder

The best way I found is to go to the /etc/apps directory and run:

grep -r "lookup-file-causing-error" *

This will find all instances. You can then disable or uninstall whichever app is associated to confirm the error messages go away. That at least allows you to focus on which lookup is broken.

In my case, it was due to uninstalling the TA_SalesForce, but the Splunk App for Salesforce was still installed.

0 Karma

Builder

Hello,

I faced the same issue as well after I upgraded to 6.2.1, and I found the difference between old version and the new one is the reference to csv lookup file in props.conf.

In 6.0.1 props.conf
[sourcetype]
LOOKUP-test_lookup = test_lookup_file field_1 OUTPUT new_field

In 6.2.1 props.conf
[sourcetype]
LOOKUP-test_lookup = test_lookup_file.csv field_1 OUTPUT new_field

The difference is that the extension of lookup file should be added.

Regards

SplunkTrust
SplunkTrust

Adding the extension changes the meaning - with .csv, you're referring to a lookup file stored in some /lookups directory; without .csv, you're referring to a lookup definition stored in transforms.conf.

If adding .csv fixes things for you, it really means your lookup definition is broken, not shared correctly, not named properly, etc.

Builder

Thanks Martin for the heads up, yes I forgot to define my lookups in the transforms.conf in my new installation.

0 Karma

SplunkTrust
SplunkTrust

Check the owner & permissions of the lookups and the user splund process is running as. .../etc/apps/Splunk_TA_nix/lookups

You might want to recursively chown all your splunk directories

chown -Rf splunkUser:splunkGroup ....

My guess is someone ran splunkd as root when upgrading and root took ownership of several files, etc. Or something similar.

0 Karma

SplunkTrust
SplunkTrust

Some of those lookups sound as if they come from the Splunk *nix app (https://splunkbase.splunk.com/app/273/), so check in .../etc/apps/Splunk_TA_nix/lookups that they exist and that your splunk user has correct permissions.

0 Karma

Path Finder

I have the same problem. Search head and index cluster, both have the appropriate bits installed (App, SA, and/or TA - SA and TA from the app/install directory) as specified by the instructions but I get this error from every index cluster member on every search. It seems like I didn't start seeing this error until upgrading from 6.3.0 to 6.3.1 on clustered hosts.

0 Karma

SplunkTrust
SplunkTrust

...make sure those lookup configurations are correct and the lookups actually exist?

0 Karma

New Member

Thank you for the quick answer....I am new to splunk. What we had worked in 6.0.1 and not 6.2.1. Where would I start looking at?

0 Karma