Alerting

Issue: Could not load lookup=LOOKUP-audit01

New Member

Hey all!

We are currently running 7.3.1 splunk enterprise (Windows) on our system, I just recently ran into an issue. When I go to check on information of one of our servers. I get this error massage stating 'Could not load lookup=LOOKUP-audit01'. Now I've done research already and went into settings-> Lookups-> Lookup Definitions and searched for audit01. Now that search informed me of the lookup file being used and app that it is associated with. I went into my files and discovered that the audit01.csv does exist in the location it is stating. So, I would think there would be no issue for it to find and load it. Does anyone have any other ideas I am missing?

Labels (1)
0 Karma

Splunk Employee
Splunk Employee

Hey! Few things to qualify and find your issue:

- what does your splunk arch look like?  distributed? clustered? (see Splunk Validated Architectures)

- usually lookup issues are app/permissions based or can be replication based etc..

- what app is using it, is it a splunkbase app or custom?

 

Tags (1)
0 Karma

New Member

-Splunk arch is clustered

-the app using it is TA-Linux-auditd. Which is where it is pointing to. 

0 Karma

New Member

If i am correct the application is a custom. I cannot give you an honest answer since I was not present at the initial install. I am adopting all the issues that was left behind.

0 Karma