Re: Issue: Could not load lookup=LOOKUP-audit01

robins722 · ‎07-22-2020

Hey all!

We are currently running 7.3.1 splunk enterprise (Windows) on our system, I just recently ran into an issue. When I go to check on information of one of our servers. I get this error massage stating 'Could not load lookup=LOOKUP-audit01'. Now I've done research already and went into settings-> Lookups-> Lookup Definitions and searched for audit01. Now that search informed me of the lookup file being used and app that it is associated with. I went into my files and discovered that the audit01.csv does exist in the location it is stating. So, I would think there would be no issue for it to find and load it. Does anyone have any other ideas I am missing?

mattymo · ‎07-22-2020

Hey! Few things to qualify and find your issue:

- what does your splunk arch look like? distributed? clustered? (see Splunk Validated Architectures)

- usually lookup issues are app/permissions based or can be replication based etc..

- what app is using it, is it a splunkbase app or custom?

- MattyMo

robins722 · ‎07-22-2020

-Splunk arch is clustered

-the app using it is TA-Linux-auditd. Which is where it is pointing to.

robins722 · ‎07-22-2020

If i am correct the application is a custom. I cannot give you an honest answer since I was not present at the initial install. I am adopting all the issues that was left behind.

Issue: Could not load lookup=LOOKUP-audit01

alert condition

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor