All Apps and Add-ons

Splunk Add-on for Cisco ASA: Why am I getting "The lookup table networkservice does not exist" in the alert messages?

rubeniturrieta
Communicator

Hi to everybody,

I have a little problem. I can see in the alert messages, with this text:

1) The lookup table 'networkservice' does not exist. It is referenced by configuration 'cisco:asa'.
2) The lookup table 'networkservice' does not exist. It is referenced by configuration 'cisco:fwsm'.
3) The lookup table 'networkservice' does not exist. It is referenced by configuration 'cisco:pix'.

I have only Cisco ASA Firewall data.

Any help, i'll be very grateful.

Thanks a lot in advance

Rubén

1 Solution

trymo
Engager

If you don't want to remove SA-cisco-asa, you may want to do a modification in 'SA-cisco-asa/default/transforms.conf' ;
1. create directory 'local' under 'SA-cisco-asa'
2. copy 'default/transforms.conf' to 'local/transforms.conf'
3. add following to 'local/transforms.conf';

 [networkservice]
filename = service-names-port-numbers.csv
max_matches = 1
  1. copy file 'Splunk_CiscoSecuritySuite/lookups/service-names-port-numbers.csv' to 'SA-cisco-asa/lookups/service-names-port-numbers.csv'
  2. restart splunk

no errors so far...

View solution in original post

trymo
Engager

If you don't want to remove SA-cisco-asa, you may want to do a modification in 'SA-cisco-asa/default/transforms.conf' ;
1. create directory 'local' under 'SA-cisco-asa'
2. copy 'default/transforms.conf' to 'local/transforms.conf'
3. add following to 'local/transforms.conf';

 [networkservice]
filename = service-names-port-numbers.csv
max_matches = 1
  1. copy file 'Splunk_CiscoSecuritySuite/lookups/service-names-port-numbers.csv' to 'SA-cisco-asa/lookups/service-names-port-numbers.csv'
  2. restart splunk

no errors so far...

View solution in original post

molinarf
Communicator

I tried this and it works. The error: 'The lookup table 'networkservice' does not exist.' cleared up. I am wondering why when ever there are upgrades to applications we inevitably have to go through and find out what's missing. Thank you trymo for providing this answer.

lindbergh_calde
Explorer

I tried this workaround as well. It works like a charm.

Thanks trymo for providing this answer.

sjh65
Explorer

I had to disable "SA-cisco-asa (3.0.1)" for these 'networkservice' errors to disappear. Didn't disappear from rerunning a search. But once I ran a new search on a new page after disabling the SA add-on. All is well again.

The only related parts I have are:

  • Splunk Add-on for Cisco ASA Splunk_TA_cisco-asa 3.2.1
  • Cisco ASA / PIX / FWSM Dashboards SA-cisco-asa 3.0.1 Disabled and Soon to Be Removed
  • Cisco ESA Email Security Appliance Dashboards SA-cisco-esa 3.0.3
  • Cisco Security Suite Splunk_CiscoSecuritySuite 3.1.0
  • Splunk Add-on for Cisco ASA Splunk_TA_cisco-asa 3.2.1
  • Splunk Add-on for Cisco ESA Splunk_TA_cisco-esa 1.1.0

The firewall dashboards within the Cisco Security Suite all seem to be in working order still.

jimmy_ford
New Member

I have the same issue. The "networkservice" lookup definition is in the Cisco Security Suite App. You can find it when clicking > Settings > Lookups > Lookup Definitions > pull down "App context" to all apps and do the search on the right hand side for "networkservice"

I also have an issue where if I do a search in the Search and Reporting for anything involving my Cisco syslog and get the following: "The lookup table 'networkservice' does not exist. It is referenced by configuration 'cisco:asa'." so it's not just the Cisco Security Suite app affected.

I disabled all the Splunk Cisco add-ons in the Cisco Security Suite app > Help > Setup > Check boxes for all the dashboards. and the SA-cisco-asa and still get errors on the Suite dashboard.

If I go straight to a search: "eventtype=cisco-security-events" events populate.....

If I do this search: "eventtype=cisco-security-events dest_ip!="255.255.255.255" dest_ip!="0.0.0.0" src_ip="*" " I get nothing... wierd

0 Karma

swasserroth
Path Finder

In our case, the following Cisco-ASA-specific things were installed:
- SA-cisco-asa (3.0.1): this was causing the errors after upgrading the Splunk_CiscoSecuritySuit from 3.0.3 to 3.1.0 and therefore is now disabled
- Splunk_TA_cisco-asa (3.2.1)
- Splunk_CiscoSecuritySuite (3.2.1)

With this configuration we do not get any errors regarding table "networkservice", because this table is defined inside the app Splunk_CiscoSecuritySuite (look at default/transforms.conf) and requires service-names-port-numbers.csv, which is located in the app-subdirectory lookups.

IF you have installed SA-cisco-asa (3.0.1), you will find there in the props.conf more references to "networkservice", but the SA-cisco-asa does not define any transforms and does not contain the .csv-file needed -- thus the error.

So far our analysis -- your mileage may vary 😉

Regards,
Stephan

jimmy_ford
New Member

Okay I deleted the SA cisco addon but the Cisco security app still doesn't work (the dashboard still shows blank)...

And I still get: Eventtype 'cisco_esa* does not exist or is disabled' I only have asa enabled on the dashboard and the TA on the indexer.

If I go straight to a search: "eventtype=cisco-security-events" events populate.....

If I do this search: "eventtype=cisco-security-events dest_ip!="255.255.255.255" dest_ip!="0.0.0.0" src_ip="*" " I get nothing... weird

0 Karma

swasserroth
Path Finder

OK, probably I have found the root cause: as soon, as I disabled the application "Cisco ASA / PIX / FWSM Dashboards" (SA-cisco-asa), these errors vanished. The newest incarnation of the Cisco Security Suite seems to work without this older SA, maybe it should be de-installed. The embedded link of SA-cisco-asa pointing to the Splunk Apps website leads to a 404 error.

Regards,
Stephan

swasserroth
Path Finder

We are hit by the same problem: after upgrading the Cisco Security Suite from 3.0.3 to 3.1.0 these errors are displayed on any dashboard. Must be directly related to this version of the app...

Regards,
Stephan

jcoates_splunk
Splunk Employee
Splunk Employee

Hi, there's no such lookup in the add-on... can you use btool to find out where the lookup is being referenced? http://docs.splunk.com/Documentation/Splunk/6.2.1/Troubleshooting/Usebtooltotroubleshootconfiguratio...

0 Karma

ppablo
Community Manager
Community Manager

Hi @rubeniturrieta

Are you referring to the Splunk Add-on for Cisco ASA in your post? https://apps.splunk.com/app/1620/

or any other app/add-on?

rubeniturrieta
Communicator

Yes, i'm refering to the Splunk Add-on for Cisco ASA

0 Karma

ppablo
Community Manager
Community Manager

Thanks for clarifying. I just edited your post and tagged it with the official tag for the add-on.

0 Karma

rubeniturrieta
Communicator

Ok, thanks you

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!