ThreatHunting app (by Olaf Hartong) Red Triangle E...

aaronc9000 · ‎01-10-2020

I really want to make this app work. (https://splunkbase.splunk.com/app/4305/) I've tried several times to install & configure (on both Windows & Linux servers), and I always get the same results:

A red triangle that reads: "Could not load lookup=LOOKUP-eventcode"

I have a Linux server (CentOS 7), currently.

For the love of god - can someone give me a detailed technical breakdown of what I can do to resolve this issue?

Much appreciated

guillaumeorland · ‎02-17-2020

Hi,
I ran into the exact same issue, and i managed to solve it.

Try to run the following command:
./opt/splunk/bin/splunk btool props list --debug | grep LOOKUP-eventcode

You should see something like:
/opt/splunk/etc/apps/Threathunting/default/props.conf LOOKUP-eventcode = eventcode Eventcode OUTPUTNEW event_description
/opt/splunk/etc/app/TA-microsoft-sysmon/default/props.conf LOOKUP-eventcode = [...]

Those two duplicates lines is what's causing this error.

You can comment the line "LOOKUP-eventcode = eventcode EventCode OUTPUTNEW EventDescription EventDescription AS signature" in the /opt/splunk/etc/app/TA-microsoft-sysmon/default/props.conf.

After a quick refresh of your Threathunting dashboard, your issue should be gone.

chr1s · ‎03-10-2020

Thank you this solved the issue. Several posts on this issue and this was the clearest solution

ThreatHunting app (by Olaf Hartong) Red Triangle Error: "Could not load lookup=LOOKUP-eventcode"

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?