I'm attempting to the the Citrix XenDekstop 7 app (downloaded from SplunkBase) working on a Splunk Enterprise 7.2.3 platform (clustered search heads and indexer cluster). However when I attempt to run the app from a search head I end up almost every search returns no results and also gives the following lookup errors:
Could not load lookup=LOOKUP-Installed Software Host Site Lookup
Could not load lookup=LOOKUP-PerfmonMk Host Site Lookup
Could not load lookup=LOOKUP-WMI:Services Host Site Lookup
Could not load lookup=LOOKUP-WinEventLog Host Site Lookup
(and shows them three times - once for each host in the indexer cluster)
I had an idea that the look up might need to be defined on the indexer also - so i deployed the same app to the Indexer cluster members: but this did not help (same errors and no results)
I suspect the issue here is something to do with 'sharing' the lookup files between the search head members? But no knowing much else about look ups I've got much else to think here.
Also, in case it's relevant, I've moderately modified app to update the macros that define the index name to point to the index I'm using to collect the with (and also modified the deployed Universal Forwarder app to send to this index also.
Any ideas? Or should I be supplying more helpful information here?