All Apps and Add-ons

Why is the Splunk App for Windows Infrastructure unable to build lookups after install?

Contributor

I am in the process of shrinking my Splunk configuration from a Distributed setup to a Single instance. I did a fresh install of Splunk Enterprise, moved old indexed data to the new system and starting to configure the Apps and Add-ons. While running the Splunk App for Windows Infrastructure's Guided setup, it passes the Prerequisites (Spunk v6.6.1, Splunk Add-on for Windows v4.8.4 and Splunk Supporting Add-on for Windows Active Directory v2.1.4), passes Check data and then starts to experience issues. Using the Detect Features button, it starts looking for Windows and AD features.

The status window shows -
WinApp_Lookup_Build_Perfmon - Update - Server could not be built.
WinApp_Lookup_Build_Perfmon - Update - Detail could not be built.
WinApp_Lookup_Build_Event - Update - Server could not be built.
WinApp_Lookup_Build_Event - Update - Detail could not be built.
WinApp_Lookup_Build_Hostmon - Update - Server could not be built.
WinApp_Lookup_Build_Hostmon_Machine - Update - Detail could not be built.
WinApp_Lookup_Build_Hostmon_FS - Update - Detail could not be built.
WinApp_Lookup_Build_Hostmon_Process - Update - Detail could not be built.
WinApp_Lookup_Build_Hostmon_Services - Update - Detail could not be built.
WinApp_Lookup_Build_Netmon - Update - Server could not be built.
WinApp_Lookup_Build_Netmon - Update - Detail could not be built.
WinApp_Lookup_Build_Printmon - Update could not be built.
DomainSelector_Lookup could not be built.
HostToDomain_Lookup_Update could not be built.
tHostInfo_Lookup_Update could not be built.
tSessions_Lookup_Update could not be built.
SiteInfo_Lookup_Update could not be built.
ActiveDirectory: Update GPO Lookup could not be built.
ActiveDirectory: Update Group Lookup could not be built.
ActiveDirectory: Update User Lookup could not be built.
ActiveDirectory: Update Computer Lookup could not be built.

I then finish and look at the Overview, some data is populated but not enough to be useful.

I do not see any relevant errors in splunkd.log and am stumped to where to look next.

Any help is appreciated.

0 Karma
1 Solution

Contributor

I opened a case with support. They found that there was a local/savesearches.conf file that had the searches disabled. I deleted the file, restarted splunk and the setup was able to compete.

View solution in original post

0 Karma

New Member

Found that it was permissions on the application. You most likely only have to do this on the default directory.
chmod -R 775 splunk_app_windows_infrastructure

0 Karma

Contributor

Check the file system also for either permission changes, or disk full. If there is less than 5000MB free, the lookups will not build.

0 Karma

If anyone else comes across this in Splunk Version:7.2.0. Make sure you have an account called admin and it has the correct roles. When installed version 7.2.0 it gave the option to name the local admin whatever i wanted so i named it something other than admin which caused the error's above.

Explorer

this helped me.

Started with custom admin name and lookups did not worked, than created user "admin" and fixed issue
Thanks

0 Karma

New Member

Thank you! This was exactly my issue!

0 Karma

Engager

This was it!

Thank you.

0 Karma

Contributor

I opened a case with support. They found that there was a local/savesearches.conf file that had the searches disabled. I deleted the file, restarted splunk and the setup was able to compete.

View solution in original post

0 Karma