All Apps and Add-ons

Why is the Splunk App for Windows Infrastructure unable to build lookups after install?

scottrunyon
Contributor

I am in the process of shrinking my Splunk configuration from a Distributed setup to a Single instance. I did a fresh install of Splunk Enterprise, moved old indexed data to the new system and starting to configure the Apps and Add-ons. While running the Splunk App for Windows Infrastructure's Guided setup, it passes the Prerequisites (Spunk v6.6.1, Splunk Add-on for Windows v4.8.4 and Splunk Supporting Add-on for Windows Active Directory v2.1.4), passes Check data and then starts to experience issues. Using the Detect Features button, it starts looking for Windows and AD features.

The status window shows -
WinApp_Lookup_Build_Perfmon - Update - Server could not be built.
WinApp_Lookup_Build_Perfmon - Update - Detail could not be built.
WinApp_Lookup_Build_Event - Update - Server could not be built.
WinApp_Lookup_Build_Event - Update - Detail could not be built.
WinApp_Lookup_Build_Hostmon - Update - Server could not be built.
WinApp_Lookup_Build_Hostmon_Machine - Update - Detail could not be built.
WinApp_Lookup_Build_Hostmon_FS - Update - Detail could not be built.
WinApp_Lookup_Build_Hostmon_Process - Update - Detail could not be built.
WinApp_Lookup_Build_Hostmon_Services - Update - Detail could not be built.
WinApp_Lookup_Build_Netmon - Update - Server could not be built.
WinApp_Lookup_Build_Netmon - Update - Detail could not be built.
WinApp_Lookup_Build_Printmon - Update could not be built.
DomainSelector_Lookup could not be built.
HostToDomain_Lookup_Update could not be built.
tHostInfo_Lookup_Update could not be built.
tSessions_Lookup_Update could not be built.
SiteInfo_Lookup_Update could not be built.
ActiveDirectory: Update GPO Lookup could not be built.
ActiveDirectory: Update Group Lookup could not be built.
ActiveDirectory: Update User Lookup could not be built.
ActiveDirectory: Update Computer Lookup could not be built.

I then finish and look at the Overview, some data is populated but not enough to be useful.

I do not see any relevant errors in splunkd.log and am stumped to where to look next.

Any help is appreciated.

0 Karma
1 Solution

scottrunyon
Contributor

I opened a case with support. They found that there was a local/savesearches.conf file that had the searches disabled. I deleted the file, restarted splunk and the setup was able to compete.

View solution in original post

0 Karma

feiswi00
New Member

Found that it was permissions on the application. You most likely only have to do this on the default directory.
chmod -R 775 splunk_app_windows_infrastructure

0 Karma

jaxjohnny2000
Builder

Check the file system also for either permission changes, or disk full. If there is less than 5000MB free, the lookups will not build.

0 Karma

stephen_p_brown
Explorer

If anyone else comes across this in Splunk Version:7.2.0. Make sure you have an account called admin and it has the correct roles. When installed version 7.2.0 it gave the option to name the local admin whatever i wanted so i named it something other than admin which caused the error's above.

pkiselevs
Explorer

this helped me.

Started with custom admin name and lookups did not worked, than created user "admin" and fixed issue
Thanks

0 Karma

isoint
New Member

Thank you! This was exactly my issue!

0 Karma

sonomauser
Explorer

This was it!

Thank you.

0 Karma

scottrunyon
Contributor

I opened a case with support. They found that there was a local/savesearches.conf file that had the searches disabled. I deleted the file, restarted splunk and the setup was able to compete.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...