Lookup table is invalid

Question

I am running Splunk for OSSEC, v4. OSSEC 2.5.1 is installed and running on the same server as Splunk. I originally started Splunk as root with

/opt/splunk/bin/splunk start

but then decided I wanted to run it as a non-root user (splunk user). I chown'ed the entire /opt/splunk directory as the splunk user and then restarted Splunk. When I go to Searches & Reports > Utilities > Initialize OSSEC Server Lookup Table, and/or Rebuild Table, I get these errors:

The lookup table 'lookup_ossec_servers' is invalid.
Found no results to write to file 'lookup_ossec_servers'.

Whats the best way to "clear" everything out and start fresh? Seems like I need to delete this lookup table and start over. Any help is appreciated.

Accepted Answer

1

The initialize option currently still requires that the table is valid (this is a known issue, planned to be updated in a later release). Right now, it just clears out anything other than the default "All OSSEC Servers" entry.

The simplest thing would be to open the file in a text editor and replace its contents with:

"ossec_server",description,managed
"*","All OSSEC Servers",0

Then, run the Rebuild OSSEC Server Lookup Table search again. Alternately, you can manually add a line for your server while you're editing the file, e.g.:

myserver,"This is my managed OSSEC server",1

link

answered 28 Jun '11, 19:24

southeringtonp ♦
4.9k●2●5●24
accept rate: 35%

I tried your two suggestions and edited /opt/splunk/etc/apps/ossec/lookups/lookup_ossec_servers.csv, but I still got the same "table is invalid" error. I reinstalled the app and that worked for me. Thanks for the reply...looking forward to using the app!

(29 Jun '11, 06:08) ashbyj

Lookup table is invalid

Follow this question

Splunk Resources

Related questions