topic Re: Splunk Add-on for Sysmon - Could not load lookup=LOOKUP-eventcode in Getting Data In

Splunk Add-on for Sysmon - Could not load lookup=LOOKUP-eventcode

corti77 — Wed, 12 Jun 2024 12:56:19 GMT

Hi,

Following the official instructions https://apps.splunk.com/apps/id/Splunk_TA_microsoft_sysmon ,

Splunk Add-on for Sysmon 4.0.0

I just deployed the addon for sysmon in my indexer, search head and deployment servers so I started to collect sysmon logs.

I am running Sysmon 15.14 on the endpoints. The logs started to flow into splunk but when I do searches on the index I constantly receive the following error:

[indexer.mydomain.es, mysearchhead.mydomain.es] Could not load lookup=LOOKUP-eventcode

I read the information in the https://docs.splunk.com/Documentation/AddOns/released/MSSysmon/Lookups but I couldnt find the root cause. The csv are in the path indicated in the documentation. 😕

Any suggestion?

many thanks

Re: Splunk Add-on for Sysmon - Could not load lookup=LOOKUP-eventcode

deepakc — Thu, 13 Jun 2024 16:33:10 GMT

If you look under lookups, it should show that those are all set and defined. So double check lookup up tables files / Lookup definitions / Automatic Lookups and check sysmon app context.

Also check if there's another lookup with that name, sometimes I have seen another same name

#this should point to most of the sysmon TA code (transforms) or show another.

/opt/splunk/bin/splunk cmd btool transforms list eventcode --debug

Re: Splunk Add-on for Sysmon - Could not load lookup=LOOKUP-eventcode

corti77 — Mon, 17 Jun 2024 08:31:41 GMT

You were so right @deepakc ! Thanks a lot.

I had duplicate eventcode lookups created by Microsoft Windows Defender Add-on for Splunk and Splunk_TA_microsoft_sysmon

I just removed Defender Add-on which is not officially supported. I need to find some other with support that I guess will not generate this type of conflict. Do you have any suggestion for this ? 😉

Re: Splunk Add-on for Sysmon - Could not load lookup=LOOKUP-eventcode

deepakc — Mon, 17 Jun 2024 11:38:00 GMT

I guess you can have same auto lookup attribute names inside the same App, that then point to look up files being used. but causes issues when same inside of another app (I know Splunk for saved searches sends a message with same name or duplicate, but I don’t think it does for lookups)

So, something like this alert may help

| rest splunk_server=local servicesNS/admin/search/data/props/lookups | search attribute=LOOKUP-* | stats count by attribute ```Filter or add ones that are OK as they may be other attributes that use similar lookups in the same App context``` ```| search NOT attribute="LOOKUP-my_ok_lookup1" NOT attribute="LOOKUP- my_ok_lookup2"``` | eval duplicate=if(count > 1, "Yes", "No") | where count > 1

You can then find out, explore if there are other apps that use the same name attribute:

Example in your case eventcode

| rest splunk_server=local servicesNS/admin/search/data/props/lookups | search attribute=LOOKUP-eventcode

Have play and see if this helps.

Re: Splunk Add-on for Sysmon - Could not load lookup=LOOKUP-eventcode

deepakc — Mon, 17 Jun 2024 11:39:00 GMT

No worries, glad it worked out out 🙂