I really want to make this app work. (https://splunkbase.splunk.com/app/4305/) I've tried several times to install & configure (on both Windows & Linux servers), and I always get the same results:
A red triangle that reads: "Could not load lookup=LOOKUP-eventcode"
I have a Linux server (CentOS 7), currently.
For the love of god - can someone give me a detailed technical breakdown of what I can do to resolve this issue?
I ran into the exact same issue, and i managed to solve it.
Try to run the following command:
./opt/splunk/bin/splunk btool props list --debug | grep LOOKUP-eventcode
You should see something like:
/opt/splunk/etc/apps/Threathunting/default/props.conf LOOKUP-eventcode = eventcode Eventcode OUTPUTNEW event_description
/opt/splunk/etc/app/TA-microsoft-sysmon/default/props.conf LOOKUP-eventcode = [...]
Those two duplicates lines is what's causing this error.
You can comment the line "LOOKUP-eventcode = eventcode EventCode OUTPUTNEW EventDescription EventDescription AS signature" in the /opt/splunk/etc/app/TA-microsoft-sysmon/default/props.conf.
After a quick refresh of your Threathunting dashboard, your issue should be gone.
Thank you this solved the issue. Several posts on this issue and this was the clearest solution