All Apps and Add-ons

After upgrade Exchange App and Windows TA, I got “Could not load lookup=LOOKUP-user_account_control_property “ error

lianwan
Explorer

I have a cluster deployment with one search cluster and one indexer cluster. Recently I upgraded MS Exchange App to the search cluster:

  • Upgraded windows_TA from 5.0.1 to 7.0.0
  • Upgraded Exchange TAs from 3.5.1 to 4.0.1
  • Upgraded Exchange App from 3.5.1 to 4.0.1
  • Removed windows infrastructure app 1.5.1

The TAs are also pushed to the indexer cluster. I also have removed the windows_apps.csv lookup under Exchange app as there is a newer copy under windows_TA, which suppressed "Could not load lookup=LOOKUP-app4_for_windows_security" error. I did not change anything else to the App.

However, every indexer reports  “Could not load lookup=LOOKUP-user_account_control_property “ error for any searches. The user_account_control_property lookup come with the Windows_TA and is readable by any user/app by default. Could somebody help? Thanks in advance!

 

 

Labels (1)
Tags (1)
0 Karma
1 Solution

lianwan
Explorer

It turned out to be I have */bin/* directory in replication blacklist of distsearch.conf in the search cluster. The user_account_control_property lookup happened to be an external type (a python script under Splunk_windows_TA/bin directory). After removing this entry, the, the error went away.

I also replaced the windows_apps.csv lookup under Exchange app with the one under windows_TA to get rid of the "Could not load lookup=LOOKUP-app4_for_windows_security" error.

View solution in original post

lianwan
Explorer

It turned out to be I have */bin/* directory in replication blacklist of distsearch.conf in the search cluster. The user_account_control_property lookup happened to be an external type (a python script under Splunk_windows_TA/bin directory). After removing this entry, the, the error went away.

I also replaced the windows_apps.csv lookup under Exchange app with the one under windows_TA to get rid of the "Could not load lookup=LOOKUP-app4_for_windows_security" error.

Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...