All Apps and Add-ons

Could not load lookup=LOOKUP-user_account_control_property

alonsocaio
Contributor

After updating Splunk_TA_Windows to version 6.0.0, I am getting error messages on every search I run.

[INDEXER 1] Could not load lookup=LOOKUP-user_account_control_property
[INDEXER 2] Could not load lookup=LOOKUP-user_account_control_property
[INDEXER 3] Could not load lookup=LOOKUP-user_account_control_property
[HEAVY FORWARDER] Could not load lookup=LOOKUP-user_account_control_property

All my instances (SH, Indexers and HF) are using the same version of Splunk_TA_Windows (6.0.0) and Splunk Enterprise (7.2.6). I am able to find this lookup in the Splunk_TA_Windows folder, using CLI, but It looks like Splunk is not finding It in any of my instances. When I disable this lookup in my SH I still get error messages.

Any tips on how to solve this issue? Does anyone knows what causes this error messages?

lakshman239
SplunkTrust
SplunkTrust

Have you looked at the transforms.conf related to those lookup definitions and also permissions (in default.meta/local.meta) or Via GUI? if they are available, they got to have export=system permissions.

alonsocaio
Contributor

Hi

In my default/transforms.conf I have this:

[user_account_control_property]
external_cmd = user_account_control_property.py userAccountControl userAccountPropertyFlag
external_type = python
fields_list = userAccountControl,userAccountPropertyFlag

And the python script is located ate splunk_ta_windows/bin.

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...