Splunk Search

Why am I getting search error "The lookup table 'signals' does not exist" after adding a CSV file in my app's lookup folder?

New Member

Hello,

I have a custom written app. Actually it's a legit app which I just added a few lines in the props.conf and inputs.conf files to help obtain some other types of logs and extract useful fields in the log.

So far it appears to be working well, however, I had the following line in the props to help make some comparison to a lookup table;

LOOKUP-signals = signals signal_number as sig

I put the lookup file signals.csv in the lookup folder.

However now I get the following error when I do my searches

[WSECP0005] The lookup table 'signals' does not exist. It is referenced by configuration 'linux:audit'.

Any ideas what could be wrong?

Thanks,
Makinde

0 Karma
1 Solution

SplunkTrust
SplunkTrust

You probably forgot to create and/or share a lookup definition called signals referencing the signals.csv file.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

You probably forgot to create and/or share a lookup definition called signals referencing the signals.csv file.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Lookup definitions live in transforms.conf, minimally like this:

[signals]
filename = signals.csv

That should be deployable along with the rest of the app.

0 Karma

New Member

Thanks Martin_Mueller.

I realized that after posting the question however this is an App deployed through the deployment manager, how can I create a lookup definition such that it is a part of the App and gets deployed through the deployment manager?

0 Karma