All Apps and Add-ons

After Updating the Add-on for Windows receive error "Could not load lookup=LOOKUP-app4_for_windows_security"

Explorer

We recently updated our Splunk add-on for Windows to 5.0.1, whenever searching we receive the error "Could not load lookup=LOOKUP-app4_for_windows_security" from all of our indexers and search head. We have no local configuration that overrides these lookups, so they are defined as the default from the app. Does anyone have ideas as to what could be causing this error?

1 Solution

Explorer

This problem happens because you likely have the Splunk App for Windows Infrastructure installed, which is not compatible. See the release notes for the Windows App here: https://docs.splunk.com/Documentation/WindowsAddOn/latest/User/Releasenotes

"The Splunk Add-on for Windows 5.0.1 is not compatible with the Splunk App for Windows Infrastructure version 1.4.4 and the Splunk App for Microsoft Exchange version 3.4.4. Use the Splunk Add-on for Windows 4.8.4 if you want to use either of these apps."

On my instance, removing the Windows Infrastructure application resolved the errors.

View solution in original post

New Member

Seeing similar errors even after I removed the splunk app for infrastructure, and also gutted the app for exchange. No more lookups from either of those apps exist now.

I verified that the new lookup tables exist on both the Indexers and Search Heads.

I went ahead and opened up the job inspector to find out what exactly the errors were and this is what it said in addition to could not load lookup table: "Could not find all the specified destination fields in the lookup table"

What I find weird is that it only errors out "app4" instead of 0,1,2 or 3. Even though they all use the same lookup file. I also get a second lookup error for the "Categorystring for windows" lookup.

0 Karma

Esteemed Legend

It has to do with the fact that there was a switch in the Splunk_TA_windows from sourcetype as differentiator to source. Start with this search SPL to see the now-broken lookup file data:

|inputlookup windows_apps

If this pulls up data (it definitely will if you go into the Splunk App for Windows Infrastructure app which is the app that owns this lookup file), then expand to this SPL and run it to upgrade the lookup file to be compatible with the changes in the upgraded Splunk_TA_windows:

|inputlookup windows_apps
| eval sourcetype=source
|outputlookup windows_apps
0 Karma

New Member

Hi,

At first I changed, as mentioned before, the props.conf file and changed from sourcetype to source.

Next I ran the first SPL and it turned up with nothing. The expanded one gave me an error: "Error in 'outputlookup' command: The lookup table 'windows_apps' is invalid." Is there a way of (re)creating that table ?
The job inspector and search log gave me the same error.
Any advice/help is highly appreciated.

Kind regards,
Hlouwes

0 Karma

New Member

Hi Woodcock, sorry for the delay concerning my progress.

I opened the Splunk App for Windows Infrastructure and inside the app in the Search window I entered the search commands you specified but I keep getting the error stating that "windows_apps" is an invalid table.

Because I screwed up settings due to a wrong command we restored the server from the point before which I made some changes in the inputs.conf in order to try and fix several health checks due to missing stanzas. The Lookup-App4_for_windows_security now don't appear anymore. but the windows_apps table is still invalid.

Any other ideas or hints ?

Kind regards.

0 Karma

Contributor

same story as @hlouwes: "The lookup table 'windows_apps' is invalid." when running the search inside the app. (Job settings show "App:
splunk_app_windows_infrastructure".)

0 Karma

Esteemed Legend

You need to run the command inside of the Splunk App for Windows Infrastructure so its knowledge objects are all in scope.

0 Karma

Communicator

Edit the windows_apps.csv lookup file for the "Splunk App for Windows Infrastructure" and change the "sourcetype" field name to "source" as referenced by the props.conf of the same Splunk App.

On a Splunk instace installed using default path the lookup file to edit is located on the following path...

$SPLUNK_HOME/etc/apps/splunk_app_windows_infrastructure/lookups/windows_apps.csv

alt text

Communicator

This also worked for me.

0 Karma

Esteemed Legend

See my answer for an easier non-admin, non-CLI method to implement this EXCELLENT solution.

0 Karma

Path Finder

This resolved the issue for me.

In my test environment, where I have been playing around with Splunk_TA_windows (upgrading to 5.01 and then 6.00) and Splunk App for Windows Infrastructure 1.5.2, I found that I had an old windows_apps.csv file in the App for Windows Infrastructure lookups directory. It appeared to be from a previous install as 1.5.2 does not include it.

After installing TA 5.01, it updated the lookup definition, but it was still pointing to the old windows_apps.csv file which has the old "sourcetype" field. The new lookup definition looks at "source", so it couldn't complete the lookup. The error in the search log pointed me in the right direction - "Could not find all of the specified lookup fields in the lookup table".

I think it was grabbing the older lookup file, because of the configuration precedence rules, but don't quote me on that.

I deleted the old windows_apps.csv file from the App for Windows Infrastructure and now the lookup is using the new windows_apps.csv located in the TA lookups directory.

Path Finder

We had the same error, but with a totally different cause.

When we deployed the bundle with the updated Splunk_TA_windows app from the Deployer to the Search Head Cluster, we used the "save lookups" option (as we always do) which caused the new lookup files not to be pushed to the SHC.

We were unsure whether a redeployment without the save-lookups option would accidentally overwrite other lookup directories that SHOULD be saved, so we manually pushed the new Splunk_TA_windows/lookups directory to each of the SHC members.

Explorer

This problem happens because you likely have the Splunk App for Windows Infrastructure installed, which is not compatible. See the release notes for the Windows App here: https://docs.splunk.com/Documentation/WindowsAddOn/latest/User/Releasenotes

"The Splunk Add-on for Windows 5.0.1 is not compatible with the Splunk App for Windows Infrastructure version 1.4.4 and the Splunk App for Microsoft Exchange version 3.4.4. Use the Splunk Add-on for Windows 4.8.4 if you want to use either of these apps."

On my instance, removing the Windows Infrastructure application resolved the errors.

View solution in original post

Path Finder

Just FYI for any future readers. In my case I was using the Splunk App for Windows Infrastructure v2.0.0, which does not have a windows_apps.csv lookup file. But my search heads (I have a search cluster with a deployer server) still had the lookup file in the app's directory. I guess the deployment doesn't delete files.

My fix was to remove the splunk_app_windows_infrastructure directory from my search heads before re-deploying from the deployer. That way I didn't have leftover files from older versions of the app.

Explorer

Hmm that is interesting. I had seen that warning, however I upgraded the Splunk App for Windows Infrastructure to 1.5.1 which claims to support the latest version of the add-on. That said, when I disable the infrastructure app it resolves the errors so I guess there is still some bugs that need to be worked out. Thank you for your suggestion.

0 Karma

SplunkTrust
SplunkTrust

Pls check if you have lookups/windows_apps.csv file present under $SPLUNK_HOME/etc/apps/Splunk_TA_Windows in both you indexers and SH. As, the default/props.conf and transforms.conf refer to this file using the above transform.

If you don't have it, please re-install or copy from another clean install.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!