All Apps and Add-ons

Could not load lookup=LOOKUP-minemeldfeeds...

Scottc_2
Engager

Palo Alto app/TA installed across search/index cluster and on ES standalone head. Ran without problems for some time, but now we're seeing errors on the search cluster for ANY search in Splunk. Two errors per indexer:

  • Could not load lookup=LOOKUP-minemeldfeeds_dest_lookup
  • Could not load lookup=LOOKUP-minemeldfeeds_src_lookup

Can anyone point me in the right direction for a solution to this? I've been digging and can't find an obvious reason for the error.

Thanks.

0 Karma
1 Solution

Scottc_2
Engager

The solution for this ended up being a search head out of sync with the rest of the cluster. Once I resolved the sync issue, the error disappeared.

Thanks to the others for your responses.

View solution in original post

0 Karma

Scottc_2
Engager

The solution for this ended up being a search head out of sync with the rest of the cluster. Once I resolved the sync issue, the error disappeared.

Thanks to the others for your responses.

0 Karma

woodcock
Esteemed Legend

Sweet. Click Accept on your answer to close the question.

0 Karma

lakshman239
SplunkTrust
SplunkTrust

I believe this came up when https://splunkbase.splunk.com/app/2757/ version 6.0.0 introduced Mime, which broke the props/transforms.conf. This has since been fixed in later versions. we use 6.0.2 with no issues now and also an updated version 6.1.x

woodcock
Esteemed Legend

You must add it in the right place. Go to Settings -> Lookups -> Lookup Definitions and search for the reported lookup ( minemeldfeeds_dest_lookup ). There you will see the name of the lookup file being used and the app which should own it. Create/replace the lookup file with the same name in that app and the error will go away.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...