All Apps and Add-ons

ThreatHunting app (by Olaf Hartong) Red Triangle Error: "Could not load lookup=LOOKUP-eventcode"

Engager

I really want to make this app work. (https://splunkbase.splunk.com/app/4305/) I've tried several times to install & configure (on both Windows & Linux servers), and I always get the same results:

A red triangle that reads: "Could not load lookup=LOOKUP-eventcode"

I have a Linux server (CentOS 7), currently.

For the love of god - can someone give me a detailed technical breakdown of what I can do to resolve this issue?

Much appreciated

Hi,
I ran into the exact same issue, and i managed to solve it.

Try to run the following command:
./opt/splunk/bin/splunk btool props list --debug | grep LOOKUP-eventcode

You should see something like:
/opt/splunk/etc/apps/Threathunting/default/props.conf LOOKUP-eventcode = eventcode Eventcode OUTPUTNEW event_description
/opt/splunk/etc/app/TA-microsoft-sysmon/default/props.conf LOOKUP-eventcode = [...]

Those two duplicates lines is what's causing this error.

You can comment the line "LOOKUP-eventcode = eventcode EventCode OUTPUTNEW EventDescription EventDescription AS signature" in the /opt/splunk/etc/app/TA-microsoft-sysmon/default/props.conf.

After a quick refresh of your Threathunting dashboard, your issue should be gone.

Engager

Thank you this solved the issue. Several posts on this issue and this was the clearest solution

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!