I have a custom written app. Actually it's a legit app which I just added a few lines in the props.conf and inputs.conf files to help obtain some other types of logs and extract useful fields in the log.
So far it appears to be working well, however, I had the following line in the props to help make some comparison to a lookup table;
LOOKUP-signals = signals signal_number as sig
I put the lookup file signals.csv in the lookup folder.
However now I get the following error when I do my searches
[WSECP0005] The lookup table 'signals' does not exist. It is referenced by configuration 'linux:audit'.
Any ideas what could be wrong?
Lookup definitions live in transforms.conf, minimally like this:
[signals] filename = signals.csv
That should be deployable along with the rest of the app.
I realized that after posting the question however this is an App deployed through the deployment manager, how can I create a lookup definition such that it is a part of the App and gets deployed through the deployment manager?