Re: Could not load lookup=LOOKUP-user_account_cont...

alonsocaio · ‎05-02-2019

After updating Splunk_TA_Windows to version 6.0.0, I am getting error messages on every search I run.

[INDEXER 1] Could not load lookup=LOOKUP-user_account_control_property
[INDEXER 2] Could not load lookup=LOOKUP-user_account_control_property
[INDEXER 3] Could not load lookup=LOOKUP-user_account_control_property
[HEAVY FORWARDER] Could not load lookup=LOOKUP-user_account_control_property

All my instances (SH, Indexers and HF) are using the same version of Splunk_TA_Windows (6.0.0) and Splunk Enterprise (7.2.6). I am able to find this lookup in the Splunk_TA_Windows folder, using CLI, but It looks like Splunk is not finding It in any of my instances. When I disable this lookup in my SH I still get error messages.

Any tips on how to solve this issue? Does anyone knows what causes this error messages?

lakshman239 · ‎05-02-2019

Have you looked at the transforms.conf related to those lookup definitions and also permissions (in default.meta/local.meta) or Via GUI? if they are available, they got to have export=system permissions.

alonsocaio · ‎05-02-2019

Hi

In my default/transforms.conf I have this:

[user_account_control_property]
external_cmd = user_account_control_property.py userAccountControl userAccountPropertyFlag
external_type = python
fields_list = userAccountControl,userAccountPropertyFlag

And the python script is located ate splunk_ta_windows/bin.

Could not load lookup=LOOKUP-user_account_control_property

Index This | I am a number but I am countless. What am I?

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

Leverage Cisco Talos Threat Intelligence Across Splunk Security Products