I had the same and this is what I've done to fix it.
First run this
/opt/splunk/bin/splunk btool props list --debug |grep eventcode
Several will be shown... especially if you have the TA microsoft sysmon that is loaded on your SH and is slightly different LOOKUP-eventcode = eventcode EventCode OUTPUTNEW EventDescription EventDescription AS signature
Check permissions and adapt as necessary to get it running...
In my case, the TA was there but not really in use so I commented the line from the MS TA... and the threathunter app works fine now.
Hope this helps.
Turns out this was the fix for me. I used the btool command you listed above, and that pointed me to a permissions issue with /opt/splunk/etc/apps/TA-microsoft-sysmon/. Changed the perms for that folder to 755, and that fixed it all.
Edit: It was a perms issue with the lookup file itself, not the props.conf
Sorry, but I'm having a hard time understanding exactly what you did to fix this. I ran the BTOOL (as you stated), and saw the following results:
/opt/splunk/etc/apps/ThreatHunting/default/props.conf LOOKUP-eventcode = eventcode EventCode OUTPUTNEW event_description
/opt/splunk/etc/apps/TA-microsoft-sysmon/default/props.conf LOOKUP-eventcode = eventcode EventCode OUTPUTNEW EventDescription EventDescription AS signature
/opt/splunk/etc/apps/TA-microsoft-windefender/default/props.conf LOOKUP-eventcode = eventcode EventCode OUTPUTNEW EventDescription EventDescription AS signature
Now you say: "In my case, the TA was there but not really in use so I commented the line from the MS TA"
Which MS TA?
Let me know. Thanks!
Sorry for the delay.
Basically this is what splunk says about it :
If you have more than two objects of the same category with the same name, only one of those objects is applied.
Duplicate naming can happen when objects have their permissions changed. For example, you can have lookups in two separate apps that have the same name. They do not conflict with each other when they are shared at the app level. However, if one of those lookups has their permissions changed so that they are shared globally, it is possible for one of those lookups to be applied instead of the other.
So in threat hunting, you can modify it so that it is the same as on the other app.