my2ndhead
commented
3 years ago This looks more like a problem with automatic lookups. Are the errors coming from the indexers or from the search head?
Open ghost opened 3 years ago
my2ndhead
commented
3 years ago This looks more like a problem with automatic lookups. Are the errors coming from the indexers or from the search head?
ghost
commented
3 years ago I'm running Splunk as a standalone install, no distributed deployment or anything. The errors generate on the search head regardless of what Index I'm searching in.
mlaferrera
commented
3 years ago It doesn't look like the lookup tables are in the app on Splunkbase. If you manually add them it should work for you.
rmloeb
commented
3 years ago My apologies. I'm new to all this. Where do I put the lookup tables? Thank you.
RandomRhythm
commented
3 years ago I copied the lookup table files that mlaferrera linked to into the /opt/splunk/etc/apps/TA-pfsense/lookups directory. Once I did that the errors went away.
Inputs.conf is modeled after the .sample
[udp://10000] disabled = false index = firewall sourcetype = pfsense host = pfsense.DOMAIN no_appending_timestamp = true
4 errors occurred while the search was executing. Therefore, search results might be incomplete. Hide errors. Could not load lookup=LOOKUP-filterlog_action Could not load lookup=LOOKUP-filterlog_tcpflags Could not load lookup=LOOKUP-filterlog_transport Could not load lookup=LOOKUP-openvpn_action
I've tried changing the log format in Pfsense which broke the extractions, looking at props.conf I can see matching lookups with those names but I've little experience in editing at that level.