Hello all,
We are trying to set up the Splunk App for Windows Infrastructure on one of our search heads. All the pre-reqs work and it is able to populate a lot of the dashboards. However after installing it, all other normal splunk searches on that head produce the error:
[splunk-idx1] The lookup table 'windows_signature_lookup' does not exist. It is referenced by configuration 'source::(MonitorWare|NTSyslog|Snare|WinEventLog|WMI:WinEventLog)...'.
The documentation for the app says that you shouldnt have to install the app on the indexer. We tried it anyway, but it didnt help. The file exists, we can search it as in:
| inputlookup windows_signatures.csv
| search signature_id=512
We've checked the app context and permissions, the actual file permissions on the search head. It all seems to look OK. It looks like it could be a very useful app if we can get it to work, so I thought I'd ask for opinions from more experienced Splunkers!
↧