I have a cluster deployment with one search cluster and one indexer cluster. Recently I upgraded MS Exchange App to the search cluster:
The TAs are also pushed to the indexer cluster. I also have removed the windows_apps.csv lookup under Exchange app as there is a newer copy under windows_TA, which suppressed "Could not load lookup=LOOKUP-app4_for_windows_security" error. I did not change anything else to the App.
However, every indexer reports “Could not load lookup=LOOKUP-user_account_control_property “ error for any searches. The user_account_control_property lookup come with the Windows_TA and is readable by any user/app by default. Could somebody help? Thanks in advance!
It turned out to be I have */bin/* directory in replication blacklist of distsearch.conf in the search cluster. The user_account_control_property lookup happened to be an external type (a python script under Splunk_windows_TA/bin directory). After removing this entry, the, the error went away.
I also replaced the windows_apps.csv lookup under Exchange app with the one under windows_TA to get rid of the "Could not load lookup=LOOKUP-app4_for_windows_security" error.
It turned out to be I have */bin/* directory in replication blacklist of distsearch.conf in the search cluster. The user_account_control_property lookup happened to be an external type (a python script under Splunk_windows_TA/bin directory). After removing this entry, the, the error went away.
I also replaced the windows_apps.csv lookup under Exchange app with the one under windows_TA to get rid of the "Could not load lookup=LOOKUP-app4_for_windows_security" error.