All Apps and Add-ons

ThreatHunting app (by Olaf Hartong) Red Triangle Error: "Could not load lookup=LOOKUP-eventcode"

aaronc9000
Engager

I really want to make this app work. (https://splunkbase.splunk.com/app/4305/) I've tried several times to install & configure (on both Windows & Linux servers), and I always get the same results:

A red triangle that reads: "Could not load lookup=LOOKUP-eventcode"

I have a Linux server (CentOS 7), currently.

For the love of god - can someone give me a detailed technical breakdown of what I can do to resolve this issue?

Much appreciated

guillaumeorland
Engager

Hi,
I ran into the exact same issue, and i managed to solve it.

Try to run the following command:
./opt/splunk/bin/splunk btool props list --debug | grep LOOKUP-eventcode

You should see something like:
/opt/splunk/etc/apps/Threathunting/default/props.conf LOOKUP-eventcode = eventcode Eventcode OUTPUTNEW event_description
/opt/splunk/etc/app/TA-microsoft-sysmon/default/props.conf LOOKUP-eventcode = [...]

Those two duplicates lines is what's causing this error.

You can comment the line "LOOKUP-eventcode = eventcode EventCode OUTPUTNEW EventDescription EventDescription AS signature" in the /opt/splunk/etc/app/TA-microsoft-sysmon/default/props.conf.

After a quick refresh of your Threathunting dashboard, your issue should be gone.

chr1s
Engager

Thank you this solved the issue. Several posts on this issue and this was the clearest solution

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...