After upgrading to Splunk Add-on for Microsoft Windows 5.0.0 and Splunk App for Windows Infrastructure 1.4.4 it seems I get the following errors ever query I put in:
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'WMI:WinEventLog:Security' and lookup table 'windows_app_lookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'source::WinEventLog:Security' and lookup table 'windows_app_lookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'source::XmlWinEventLog:Security' and lookup table 'windows_app_lookup'.
I am unsure what the "for conf" stands for, but when I do a "|inputlookup windows_app_lookup" it does shows the file but no header is conf. It does show the 3 keys above.
The release notes stats that Windows Infrastructure 1.4.4 and Windows Addon 5.0.0 are not compatible yet. http://docs.splunk.com/Documentation/WindowsAddOn/latest/User/Releasenotes
Hence you might be facing such errors.
The release notes stats that Windows Infrastructure 1.4.4 and Windows Addon 5.0.0 are not compatible yet. http://docs.splunk.com/Documentation/WindowsAddOn/latest/User/Releasenotes
Hence you might be facing such errors.
I just saw that in the docs as well as during the application setup. Highest version can only be 4.8.4 right now.
OOPS!!! Thanks guys
Hi Dipco,
Does downgrading your windows addon helped in fixing the issue ? even I have similar issue, so wanted to check if this solution worked.
Yes it did. It actually had the warning on the application setup screen if you read it. Feel a little stupid that I didn't read/see the error before I posted.
Yeah same here, I thought 4.8 version or above 🙂 thanks for the reply. I will try it.
Have you tried rerunning the Winfra app setup procedure? that usually clears lookup errors like that.
How do I rerun the app setup? Are you talking about the setup within the Windows Infrastructure application or do you mean to delete and re-add the application?
Just doing a rebuild on the lookups did not help.
Also - why is it complaining when I am not displaying Windows items or using the lookup. If I simply do a search with index=main or even index=_audit, I get the same 3 errors! Why?