Solved: Minemeld Lookup errors after upgrading Splunk to 7...

matthewfry · ‎11-29-2018

Splunk version: 7.2.1
Palo Alto App version: 6.1

I am getting the following errors after the upgrade:

Could not load lookup=LOOKUP-minemeldfeeds_dest_lookup
Could not load lookup=LOOKUP-minemeldfeeds_src_lookup

The Splunkbase page for the Palo Alto app says 6.1 is compatible with 7.2... so what gives? How can I clear this error? I have found no answers for this on Splunk Answers or on Google.

matthewfry · ‎11-30-2018

Okay I have found my own answer. This ended up being a KVStore issue. The resolution was to run the following command on my SearchHead:

./splunk migrate migrate-kvstore

Here is the article that helped me to this conclusion:

https://answers.splunk.com/answers/690118/why-is-the-kv-store-process-failing-after-upgrade.html

View solution in original post

matthewfry · ‎11-30-2018

Okay I have found my own answer. This ended up being a KVStore issue. The resolution was to run the following command on my SearchHead:

./splunk migrate migrate-kvstore

Here is the article that helped me to this conclusion:

https://answers.splunk.com/answers/690118/why-is-the-kv-store-process-failing-after-upgrade.html

matthewfry · ‎11-29-2018

Also get this in the Palo Alto dashboards:

Error in 'lookup' command: Lookups: Could not construct lookup 'minemeldfeeds_lookup, indicator, AS, client_ip, OUTPUT, value.autofocus_tags, AS, client_autofocus_tags'. See search.log for more details.

Minemeld Lookup errors after upgrading Splunk to 7.2

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023

Security Newsletter Updates | March 2023