- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Could not find all of the specified lookup fields ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could not find all of the specified lookup fields in the lookup table
Ever since I upgraded to Splunk 6.2.3, this app stopped working properly.
I also tried to reinstall the app, with the same results:
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'FireEye_CEF' and lookup table 'fireeye_severity_lookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'fe_xml' and lookup table 'fireeye_severity_lookup'.
Events are getting indexed, and are also properly parsed in the Analysis pages, but not shown on the main dashboard
Anyone had the same issue?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Outstanding. To wrap this question up, we will be replacing the TA in ES after we pass the Splunk TA certification.
For anyone else who runs across a lookup error message try the troubleshooting steps shown in the comment above.
If none of those work or you have other issues, please feel free to reach out directly. Just click the Send feedback link within the help menu of the app and it will email me. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Tony. We ran into the same issue. It looks like we had both 3.0.7 and 3.3.2 running. I disabled 3.0.7 and the errors went away.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You probably want to disable the TA that ships with ES. Try the 3.0.7 TA instead. Then see what fields are available within ES. Hope that helps.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good morning ybahat,
Here is a list of things to look at when troubleshooting:
1) Do you only have one instance of the app installed? - You should only have one
2) Do you have the app and the TA installed on the same system? - You do not need both
3) Do you have v2 and v3 of the FireEye app installed on the same system? - You should have v2 for Splunk 5.x and v3 for Splunk 6.x
4) Do you have Splunk Enterprise Security installed? - I believe it still ships with an old FireEye TA, need to remove old TA from ES
5) Do you have the Palo Alto app installed? - There is a permission issue with their app that breaks other lookups. See the Work Arounds section here: https://splunkbase.splunk.com/app/1845/#/documentation
If any of the above are true, make the correction and let us know if the issue is fixed. If not, feel free to click on help -> send feedback within the app and we can set up a webex session to troubleshoot the issue. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you sir, you were right on the money with Item 4
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
