Splunk Search

Why am I getting "The lookup table 'dropdownsLookup' does not exist." errors after every search?

appzen
Path Finder

Every time I do a search, the search results are successful but I get these prompts atop of my search results, each with an orange triangle icon with an exclamation is:

Info.csv being bloated by "lookup" log messages . Will not log additional errors. Refer search.log
The limit has been reached for log messages in info.csv. 1 messages have not been written to info.csv. Please refer search.log for these messages or limits.conf to configure this limit.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration '(?i)source::....zip(.\d+)?'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'ActiveDirectory'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'BoxAppForSplunk_controller-too_small'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'Linux:SELinuxConfig'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'PerformanceMonitor'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'Splunk_TA_aws-RestEndpoints-account-list-too_small'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'WinNetMonMk'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'WinPrintMon'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'WinRegistry'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'WinWinHostMon'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration '__singleline'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration '_json'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'access_combined'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'access_combined_wcookie'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'access_common'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'aix_secure'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'anaconda'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'anaconda_syslog'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'apache_error'.
The lookup table 'dropdownsLookup' does not exist. It is referenced by configuration 'asterisk_cdr'.

I don't remember activating anything from another app. I did download the Splunk App for Unix and Linux, but it's disabled at the moment. That was the only thing I can think of that I changed. How do I get rid of this error? Is there another app that I need to disable?

Tags (3)

schultet
Path Finder

I too and getting these messages now.

•The limit has been reached for log messages in info.csv. 16 messages have not been written to info.csv. Please refer to search.log for these messages or limits.conf to configure this limit.
•The lookup table 'MSADGroupType' does not exist. It is referenced by configuration 'source::*:Security'.
•The lookup table 'MSADGroupType' does not exist. It is referenced by configuration 'source::WinEventLog:Security|host::13TH|WinEventLog:Security'.
•The lookup table 'MSADGroupType' does not exist. It is referenced by configuration 'source::WinEventLog:Security|host::43rd|WinEventLog:Security'.
•The lookup table 'MSADGroupType' does not exist. It is referenced by configuration 'source::WinEventLog:Security|host::CO|WinEventLog:Security'.
•The lookup table 'MSADGroupType' does not exist. It is referenced by configuration 'source::WinEventLog:Security|host::HP|WinEventLog:Security'.
•The lookup table 'MSADGroupType' does not exist. It is referenced by configuration 'source::WinEventLog:Security|host::Hypnos|WinEventLog:Security'.
•The lookup table 'MSADGroupType' does not exist. It is referenced by configuration 'source::WinEventLog:Security|host::LC|WinEventLog:Security'.
•The lookup table 'MSADGroupType' does not exist. It is referenced by configuration 'source::WinEventLog:Security|host::ND|WinEventLog:Security'.
•The lookup table 'MSADGroupType' does not exist. It is referenced by configuration 'source::WinEventLog:Security|host::OC|WinEventLog:Security'.
•The lookup table 'MSADGroupType' does not exist. It is referenced by configuration 'source::WinEventLog:Security|host::PROTEUS|WinEventLog:Security'.
•The lookup table 'MSADGroupType' does not exist. It is referenced by configuration 'source::WinEventLog:Security|host::Penia|WinEventLog:Security'.
•The lookup table 'MSADGroupType' does not exist. It is referenced by configuration 'source::WinEventLog:Security|host::SS|WinEventLog:Security'.
•The lookup table 'MSADGroupType' does not exist. It is referenced by configuration 'source::WinEventLog:Security|host::ST|WinEventLog:Security'.
•The lookup table 'endpoint_change_object_category_lookup' does not exist. It is referenced by configuration 'WinRegistry'.
•The lookup table 'endpoint_change_object_category_lookup' does not exist. It is referenced by configuration 'fs_notification'.
•The lookup table 'endpoint_change_status_lookup' does not exist. It is referenced by configuration 'WinRegistry'.
•The lookup table 'endpoint_change_status_lookup' does not exist. It is referenced by configuration 'fs_notification'.
•The lookup table 'endpoint_change_user_type_lookup' does not exist. It is referenced by configuration 'WinRegistry'.
•The lookup table 'endpoint_change_vendor_action_lookup' does not exist. It is referenced by configuration 'WinRegistry'.
•The lookup table 'endpoint_change_vendor_action_lookup' does not exist. It is referenced by configuration 'fs_notification'.
•The lookup table 'fs_notification_change_type_lookup' does not exist. It is referenced by configuration 'fs_notification'.

0 Karma

schultet
Path Finder

I have a single server SH and Indexer

0 Karma

russellliss
Path Finder

The Splunk App for Unix also installs "SA-nix" and "Splunk_TA_nix". Remove these as well, and your error should go away.

0 Karma

awilliams_splun
Splunk Employee
Splunk Employee

Are you getting this error in a SH cluster? I've noticed this error myself in my test environment. I'm using a deployer server to push updates to my SHC and have noticed that the dropdowns.csv file gets removed. If I redeploy the apps to the SHC the file returns and the errors go away.

0 Karma

appzen
Path Finder

What do you mean by SH cluster?

0 Karma

russellliss
Path Finder

Search Head, one or more in a cluster. I am getting this error myself, also after installing the Splunk App for Unix and Linux.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...