I am having a problem with lookup tables in a distributed search environment. The lookup table is working on the main search head but I receive the below error on the secondary Linux instance.
- [Linux_Instance] The lookup table 'Windows_EventCode_Lookup' does not exist. It is referenced by configuration 'WMI:WinEventLog:Security'.
- [Linux_Instance] The lookup table 'W2K3_Logon_Type_Lookup' does not exist. It is referenced by configuration 'WMI:WinEventLog:Security'.
The search head is a Windows systems the error is from the Linux Splunk system. I do have export=system setup on both systems and I have created the lookup on the Linux Splunk instance but it still gives me the above error.