Solved: Could not load lookup=LOOKUP-minemeldfeeds...

Scottc_2 · ‎03-26-2019

Palo Alto app/TA installed across search/index cluster and on ES standalone head. Ran without problems for some time, but now we're seeing errors on the search cluster for ANY search in Splunk. Two errors per indexer:

Could not load lookup=LOOKUP-minemeldfeeds_dest_lookup
Could not load lookup=LOOKUP-minemeldfeeds_src_lookup

Can anyone point me in the right direction for a solution to this? I've been digging and can't find an obvious reason for the error.

Thanks.

Scottc_2 · ‎04-23-2019

The solution for this ended up being a search head out of sync with the rest of the cluster. Once I resolved the sync issue, the error disappeared.

Thanks to the others for your responses.

View solution in original post

Scottc_2 · ‎04-23-2019

The solution for this ended up being a search head out of sync with the rest of the cluster. Once I resolved the sync issue, the error disappeared.

Thanks to the others for your responses.

woodcock · ‎04-23-2019

Sweet. Click Accept on your answer to close the question.

lakshman239 · ‎04-23-2019

I believe this came up when https://splunkbase.splunk.com/app/2757/ version 6.0.0 introduced Mime, which broke the props/transforms.conf. This has since been fixed in later versions. we use 6.0.2 with no issues now and also an updated version 6.1.x

woodcock · ‎04-23-2019

You must add it in the right place. Go to Settings -> Lookups -> Lookup Definitions and search for the reported lookup ( minemeldfeeds_dest_lookup ). There you will see the name of the lookup file being used and the app which should own it. Create/replace the lookup file with the same name in that app and the error will go away.

Could not load lookup=LOOKUP-minemeldfeeds...

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms