All Apps and Add-ons

Unable to find LOOKUP-eventcode

dcottindustry
Explorer

Nice work on the threathunting app!

This isn't so much a question, just an observation with v1.1 of the app it seems that a lookup definition is missing for the 'eventcode.csv' lookup table. If you install it out of the box, even with the additional lookup tables copied in from the github, it still throws a missing lookup error.

Adding the following to transforms.conf fixes the issue

[eventcode]
filename = eventcode.csv

Update: This is still an issue with v1.3,2 of the application......

Tags (1)
0 Karma

florho
Explorer

I had the same and this is what I've done to fix it.
First run this
/opt/splunk/bin/splunk btool props list --debug |grep eventcode

Several will be shown... especially if you have the TA microsoft sysmon that is loaded on your SH and is slightly different LOOKUP-eventcode = eventcode EventCode OUTPUTNEW EventDescription EventDescription AS signature

Check permissions and adapt as necessary to get it running...

In my case, the TA was there but not really in use so I commented the line from the MS TA... and the threathunter app works fine now.

Hope this helps.

aaronc9000
Engager

Sorry, but I'm having a hard time understanding exactly what you did to fix this. I ran the BTOOL (as you stated), and saw the following results:

/opt/splunk/etc/apps/ThreatHunting/default/props.conf LOOKUP-eventcode = eventcode EventCode OUTPUTNEW event_description
/opt/splunk/etc/apps/TA-microsoft-sysmon/default/props.conf LOOKUP-eventcode = eventcode EventCode OUTPUTNEW EventDescription EventDescription AS signature
/opt/splunk/etc/apps/TA-microsoft-windefender/default/props.conf LOOKUP-eventcode = eventcode EventCode OUTPUTNEW EventDescription EventDescription AS signature

Now you say: "In my case, the TA was there but not really in use so I commented the line from the MS TA"

Which TA?

Which MS TA?

Which line?

Let me know. Thanks!

0 Karma

florho
Explorer

Sorry for the delay.
Basically this is what splunk says about it :
If you have more than two objects of the same category with the same name, only one of those objects is applied.
Duplicate naming can happen when objects have their permissions changed. For example, you can have lookups in two separate apps that have the same name. They do not conflict with each other when they are shared at the app level. However, if one of those lookups has their permissions changed so that they are shared globally, it is possible for one of those lookups to be applied instead of the other.

So in threat hunting, you can modify it so that it is the same as on the other app.

0 Karma

clhall1
Explorer

Turns out this was the fix for me. I used the btool command you listed above, and that pointed me to a permissions issue with /opt/splunk/etc/apps/TA-microsoft-sysmon/. Changed the perms for that folder to 755, and that fixed it all.

Thanks!

Edit: It was a perms issue with the lookup file itself, not the props.conf

0 Karma

mcbradfordwcb
Engager

I am also having the same issue

0 Karma

rvany
Communicator

That's bad.

0 Karma

mmccrory
New Member

I apologize for my stupidity, but do you mean the transforms.conf file for the Threathunting app (etc\apps\threathunting...) or the conf file for Splunk overall (etc\system...)?

I'm running into this same problem with v1.1 and am trying to figure out how to fix it without breaking something else.

0 Karma

dcottindustry
Explorer

Not a stupid question at all 🙂 I mean the transforms.conf for the threathunting app itself in 'etc\apps\threathunting'

0 Karma

aaronclf
New Member

This is still an issue, and it looks like the "[eventcode]" trick you mentioned is already present in my transforms.conf file.
I'm using v1.3.4

Anyone else still experiencing this issue?

From the search log:
ERROR LookupDataProvider - Could not find all of the specified destination fields in the lookup table.
ERROR AutoLookupDriver - Could not load lookup='LOOKUP-eventcode' reason='Error in 'lookup' command: Could not find all of the specified destination fields in the lookup table.'

0 Karma

clhall1
Explorer

I'm having the same issue, using version 1.4.1

0 Karma

blopon
New Member

I have the same problem with 1.3.4. and [eventcode] is present as well in my transforms.conf file.

0 Karma

rvany
Communicator

Are you on a Windows system or Linux? transforms.conf in v1.3.4 has Windows-style line separation (i.e. CR-LF). Maybe that leads to some trouble - of course, if at all, then on Linux.

0 Karma

mmccrory
New Member

Awesome. Thanks for the follow up, you have no idea how much I appreciate it. I'm very new with Splunk and kinda learning as I go. I'll play around with it tomorrow. I added the [eventcode] piece to the Splunk transforms.conf file, and that removed the error triangle alert thingy, but still didn't show me data. Hopefully I'll have better luck with what you suggested. The ThreatHunting dash looks awesome, so I am really excited to get it working. Thanks again.

0 Karma
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...