Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

lookup table does not exist

gl0balt3kkie
New Member
‎07-25-2019 12:27 PM

I am having an issue where anyone that does a splunk search gets the following error:

The lookup table 'event_id_to_action_lookup' does not exist. It is referenced by configuration 'MSExchange:2013:MessageTracking'

I would be most obliged for any insight that anyone would be able to provide about this issue.

Thanks in advance.

0 Karma
Reply

rjteh_splunk
Splunk Employee
Splunk Employee
‎07-26-2019 12:22 AM

@gl0balt3kkie, the automatic lookup file is most likely missing from your splunk server i.e. it may not be on disk anymore. Either an app search/splunk collections were not enabled again. At times the lookup file maybe removed from a splunk version/app upgrade, usually the latter, but it's best to check if it's on disk manually.

You can find where the lookup file is located by checking the lookup definition, followed by the file itself, on the UI. Simply navigate to...

UI > Settings > Lookups > Lookup definitions > Select "All" for App Context > Select Owner as "Any" > Enter "event_id_to_action_lookup" in the search filter and hit find.

Once you see the lookup filename, then you can navigate to...

UI > Settings > Lookups > Lookup table files > Select "All" for App Context > Select Owner as "Any" > Enter "event_id_to_action_lookup.csv" (if it is the same filename) in the search filter and hit find.

You will see the folder path for the lookup file.

The actual "event_id_to_action_lookup.csv" lookup file is part of the "TA-Exchange-Mailbox" app (TA-Exchange-Mailbox/lookups folder) which can be found here if you download "Splunk Add-on for Microsoft Exchange" app.

https://splunkbase.splunk.com/app/3225/

If this file is missing from your search head, you will need to import it back.

0 Karma
Reply

gl0balt3kkie
New Member
‎07-31-2019 11:34 AM

ok, thank you.

0 Karma
Reply

gl0balt3kkie
New Member
‎07-31-2019 11:40 AM

When I do a search at UI > Settings > Lookups > Lookup Definitions and ALL and ANY I get the following:
"There are no configurations of this type. Click the "New" button to create a new configuration."

0 Karma
Reply

rjteh_splunk
Splunk Employee
Splunk Employee
‎07-31-2019 11:44 AM

Do you have any lookup files in the "UI > Settings > Lookups > Lookup table files" section?

0 Karma
Reply

gl0balt3kkie
New Member
‎07-31-2019 01:01 PM

Yes, quite a few. However, I get the same message as above when I do a search for : event_id_to_action_lookup

0 Karma
Reply

jawaharas
Motivator
‎07-25-2019 11:24 PM

  1. Can you provide the Splunk search you used?

  2. Do you have necessary access to the lookup file?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...