All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is the Windows App Lookup giving errors in Splunk App for Windows Infrastructure?

dlpco
Path Finder
‎06-22-2018 04:17 PM

After upgrading to Splunk Add-on for Microsoft Windows 5.0.0 and Splunk App for Windows Infrastructure 1.4.4 it seems I get the following errors ever query I put in:

Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'WMI:WinEventLog:Security' and lookup table 'windows_app_lookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'source::WinEventLog:Security' and lookup table 'windows_app_lookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'source::XmlWinEventLog:Security' and lookup table 'windows_app_lookup'.

I am unsure what the "for conf" stands for, but when I do a "|inputlookup windows_app_lookup" it does shows the file but no header is conf. It does show the 3 keys above.

Reply
1 Solution
Solved! Jump to solution
Solution

bhargavnariyani
Path Finder
‎06-23-2018 10:48 AM

The release notes stats that Windows Infrastructure 1.4.4 and Windows Addon 5.0.0 are not compatible yet. http://docs.splunk.com/Documentation/WindowsAddOn/latest/User/Releasenotes
Hence you might be facing such errors.

View solution in original post

Reply
Solved! Jump to solution
Solution

bhargavnariyani
Path Finder
‎06-23-2018 10:48 AM

The release notes stats that Windows Infrastructure 1.4.4 and Windows Addon 5.0.0 are not compatible yet. http://docs.splunk.com/Documentation/WindowsAddOn/latest/User/Releasenotes
Hence you might be facing such errors.

Reply
Solved! Jump to solution

dlpco
Path Finder
‎06-23-2018 05:51 PM

I just saw that in the docs as well as during the application setup. Highest version can only be 4.8.4 right now.
OOPS!!! Thanks guys

0 Karma
Reply
Solved! Jump to solution

RupeshMano
Explorer
‎07-17-2018 04:49 PM

Hi Dipco,

Does downgrading your windows addon helped in fixing the issue ? even I have similar issue, so wanted to check if this solution worked.

0 Karma
Reply
Solved! Jump to solution

dlpco
Path Finder
‎07-17-2018 06:56 PM

Yes it did. It actually had the warning on the application setup screen if you read it. Feel a little stupid that I didn't read/see the error before I posted.

0 Karma
Reply
Solved! Jump to solution

RupeshMano
Explorer
‎07-18-2018 03:44 PM

Yeah same here, I thought 4.8 version or above 🙂 thanks for the reply. I will try it.

0 Karma
Reply
Solved! Jump to solution

darrenfuller
Contributor
‎06-22-2018 05:01 PM

Have you tried rerunning the Winfra app setup procedure? that usually clears lookup errors like that.

0 Karma
Reply
Solved! Jump to solution

dlpco
Path Finder
‎06-23-2018 04:35 PM

How do I rerun the app setup? Are you talking about the setup within the Windows Infrastructure application or do you mean to delete and re-add the application?

Just doing a rebuild on the lookups did not help.

Reply
Solved! Jump to solution

dlpco
Path Finder
‎06-23-2018 04:40 PM

Also - why is it complaining when I am not displaying Windows items or using the lookup. If I simply do a search with index=main or even index=_audit, I get the same 3 errors! Why?

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...