- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Wildcard in Lookup: Why am I getting error "The lo...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wildcard in Lookup: Why am I getting error "The lookup table 'ssIdlookup' does not exist. It is referenced by configuration data_sourcetype"?
All,
I've seen this:
https://answers.splunk.com/answers/52580/can-we-use-wildcard-characters-in-a-lookup-table.html
and it doesn't work for the case I'm trying. The lookup files live in the etc/apps/search/lookup directory instead of the TA. The reason for this is I want the user to be able to maintain their own exclusion files and they won't have access to the TA. The search looks like this:
index=data_index sourcetype=data_sourcetype NOT [| inputlookup ssid_exclusions ] NOT [| inputlookup authorized_ap_mac ]
| rex field=detectingIPString "(?\d{1,3}\.\d{1,3}\.\d{1,3})"
| eval cidr_simple=cidr.".0/24"
| lookup cidr_lookup.csv cidr_simple
| eval ap_location=street_address." ".city." ".state." ".zip
| table ssId rogueApMacAddr alarmCreationTime cidr_simple detectingIPString ap_location rssi
| sort ssId
The ssid_exclusions and authorized_ap_mac are pointing respectively to ssid_exclusions.csv and authorized_ap_mac.csv in $SPLUNK_HOME/etc/apps/search/lookups directory. The data looks like this
ssid_exclusions.csv
ssId_header
ssid_1_to_exclude_from_search
ssid_2_to_exclude_from_search
...
ssid_n_to_exclude_from_search
ssidA*
ssidB*
...
ssidZ*
authorized_ap_mac.csv
mac_address_header
mac_address_1
mac_address_2
...
mac_address_n
Basically simple filters to exclude either the ssid or the mac address from the search results. The problem is when I try the answer given in my TA, see below
default/props.conf
[data_sourcetype]
REPORT-getdatafields = get_data_fields
LOOKUP-ssId = ssIdlookup ssId OUTPUT ssId
default/transforms.conf
#
# Override host
#
[overridehost]
DEST_KEY = MetaData:Host
REGEX = \s([^ ]+)\s\[
FORMAT = host::$1
[severities_lookup]
filename = severities.csv
#
# Get data fields
#
[get_data_fields]
REGEX = (\w+)=([^\,]+)\,
FORMAT = $1::$2
#
# Wildcard ssid
#
[ssIdlookup]
filename = /apps/splunk/etc/apps/search/lookups/ssid_exclusions.csv
match_type = WILDCARD(ssId)
I get an error about not finding the lookup file.
The lookup table 'ssIdlookup' does not exist. It is referenced by configuration data_sourcetype
Any suggestions?
TIA,
Joe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could always escalate the scope of your TA from app to global as a simpler option.
Your stuff has many problems, chief of which is that you have only 1 field in your lookup files. You need an input field AND an output field.
Try this:
$SPLUNK_HOME/etc/apps/search/lookups/ssid_exclusions.csv
ssId_header, excludeMeIfY
ssid_1_to_exclude_from_search, Y
ssid_2_to_exclude_from_search, Y
..., Y
ssid_n_to_exclude_from_search, Y
ssidA*, Y
ssidB*, Y
..., Y
ssidZ*, Y
$SPLUNK_HOME/etc/apps/search/default/props.conf
[data_sourcetype]
LOOKUP-ssId_to_excludeMeIfY = ssId_to_excludeMeIfY ssId_header AS ssId OUTPUT excludeMeIfY
$SPLUNK_HOME/etc/apps/search/default/transforms.conf
[ssId_to_excludeMeIfY]
filename = ssid_exclusions.csv
match_type = WILDCARD(ssId_header)
Now you can exclude like this:
... | where isnull(excludeMeIfY)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, but I was over thinking it. Once I changed it from ssid_exclusions to ssid_exclusions.csv in the search it worked as it should.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
