uberAgent Support

Workaround for lookup_appnameidmapping Errors with Splunk Free

On Splunk Free uberAgent 3.x cannot automatically generate the lookup table appnameidmapping.csv referenced as lookup_appnameidmapping. Because of the missing lookup table the following error messages are displayed on many dashboards:

  • The lookup table 'lookup_appnameidmapping' does not exist. It is referenced by configuration 'uberAgent:Process:NetworkTargetPerformance'.
  • The lookup table 'lookup_appnameidmapping' does not exist. It is referenced by configuration 'uberAgent:Process:ProcessDetail'.
  • The lookup table 'lookup_appnameidmapping' does not exist. It is referenced by configuration 'uberAgent:Process:ProcessStartup'.

See this article for details and for information on officially supported versions.

Workaround

As a workaround, the lookup table can be generated manually. To do that run a slightly modified search populate_appnameidmapping from uberAgent's savedsearches.conf.

The original search:

`index` sourcetype=uberAgent:Application:AppNameIdMapping AppId=* AppName=* | stats first(_time) as _time first(AppName) as AppName by AppId | inputlookup append=t lookup_appnameidmapping | stats first(_time) as _time first(AppName) as AppName by AppId | eval TimeDelta=now()-_time | search TimeDelta<31536000 | fields AppName AppId _time

We simply append the outputlookup command to have Splunk create the lookup table. The full search looks like this:

`index` sourcetype=uberAgent:Application:AppNameIdMapping AppId=* AppName=* | stats first(_time) as _time first(AppName) as AppName by AppId | inputlookup append=t lookup_appnameidmapping | stats first(_time) as _time first(AppName) as AppName by AppId | eval TimeDelta=now()-_time | search TimeDelta<31536000 | fields AppName AppId _time | outputlookup lookup_appnameidmapping

Run this search over a longer time range (e.g. last seven days) to capture mappings for applications that are run only infrequently, too.

After running the search Splunk might display the error message "Could not write to file 'lookup_appnameidmapping': Failed to move file to final destination." However we found that it still creates the output file appnameidmapping.csv.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.