- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After upgrading to Splunk Add-on for Microsoft Windows 5.0.0 and Splunk App for Windows Infrastructure 1.4.4 it seems I get the following errors ever query I put in:
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'WMI:WinEventLog:Security' and lookup table 'windows_app_lookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'source::WinEventLog:Security' and lookup table 'windows_app_lookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'source::XmlWinEventLog:Security' and lookup table 'windows_app_lookup'.
I am unsure what the "for conf" stands for, but when I do a "|inputlookup windows_app_lookup" it does shows the file but no header is conf. It does show the 3 keys above.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The release notes stats that Windows Infrastructure 1.4.4 and Windows Addon 5.0.0 are not compatible yet. http://docs.splunk.com/Documentation/WindowsAddOn/latest/User/Releasenotes
Hence you might be facing such errors.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The release notes stats that Windows Infrastructure 1.4.4 and Windows Addon 5.0.0 are not compatible yet. http://docs.splunk.com/Documentation/WindowsAddOn/latest/User/Releasenotes
Hence you might be facing such errors.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just saw that in the docs as well as during the application setup. Highest version can only be 4.8.4 right now.
OOPS!!! Thanks guys
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Dipco,
Does downgrading your windows addon helped in fixing the issue ? even I have similar issue, so wanted to check if this solution worked.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes it did. It actually had the warning on the application setup screen if you read it. Feel a little stupid that I didn't read/see the error before I posted.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah same here, I thought 4.8 version or above 🙂 thanks for the reply. I will try it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried rerunning the Winfra app setup procedure? that usually clears lookup errors like that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I rerun the app setup? Are you talking about the setup within the Windows Infrastructure application or do you mean to delete and re-add the application?
Just doing a rebuild on the lookups did not help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also - why is it complaining when I am not displaying Windows items or using the lookup. If I simply do a search with index=main or even index=_audit, I get the same 3 errors! Why?
