Hey all!
We are currently running 7.3.1 splunk enterprise (Windows) on our system, I just recently ran into an issue. When I go to check on information of one of our servers. I get this error massage stating 'Could not load lookup=LOOKUP-audit01'. Now I've done research already and went into settings-> Lookups-> Lookup Definitions and searched for audit01. Now that search informed me of the lookup file being used and app that it is associated with. I went into my files and discovered that the audit01.csv does exist in the location it is stating. So, I would think there would be no issue for it to find and load it. Does anyone have any other ideas I am missing?
Hey! Few things to qualify and find your issue:
- what does your splunk arch look like? distributed? clustered? (see Splunk Validated Architectures)
- usually lookup issues are app/permissions based or can be replication based etc..
- what app is using it, is it a splunkbase app or custom?
-Splunk arch is clustered
-the app using it is TA-Linux-auditd. Which is where it is pointing to.
If i am correct the application is a custom. I cannot give you an honest answer since I was not present at the initial install. I am adopting all the issues that was left behind.