Error: "The lookup table 'windows_action_lookup' d...

zliu · ‎06-08-2010

"The lookup table 'windows_action_lookup' does not exist. It is referenced by configuration 'ntsyslog:security'."

The lookup table 'windows_action_keywords_lookup' does not exist. It is referenced by configuration 'ntsyslog:security'.

added [lookups] export=system stanza in $splunk_home/etc/system/metadata/local.meta config file and restart splunkd, but it doesn't help 😞 unlike in this question: http://answers.splunk.com/questions/1716/error-in-lookup-command-the-lookup-table-test-lookup-does-n...

Found 'ntsyslog:security' at $SPLUNK_HOME/etc/apps/SKB-windows/local/props.conf: [ntsyslog:security] and $SPLUNK_HOME/etc/apps/SKB-windows/local/transforms.conf: FORMAT = sourcetype::ntsyslog:security

the_wolverine · ‎06-10-2010

You should investigate whether you have a duplicate lookup table (by the same name) in an alternate location. If you do, make sure to keep the desired table that is referenced by the aforementioned configuration and delete the duplicate.

An easy way to find duplicate lookup tables is by going to the Manager >> Lookups >> Lookup Tables Files (in UI). You can delete the duplicate from this view without having to restart Splunk.

Error: "The lookup table 'windows_action_lookup' does not exist. It is referenced by configuration 'ntsyslog:security'."

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!