All Apps and Add-ons

Why is the Windows App Lookup giving errors in Splunk App for Windows Infrastructure?

Path Finder

After upgrading to Splunk Add-on for Microsoft Windows 5.0.0 and Splunk App for Windows Infrastructure 1.4.4 it seems I get the following errors ever query I put in:

Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'WMI:WinEventLog:Security' and lookup table 'windowsapplookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'source::WinEventLog:Security' and lookup table 'windowsapplookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'source::XmlWinEventLog:Security' and lookup table 'windowsapplookup'.

I am unsure what the "for conf" stands for, but when I do a "|inputlookup windowsapplookup" it does shows the file but no header is conf. It does show the 3 keys above.

1 Solution

Path Finder

The release notes stats that Windows Infrastructure 1.4.4 and Windows Addon 5.0.0 are not compatible yet. http://docs.splunk.com/Documentation/WindowsAddOn/latest/User/Releasenotes
Hence you might be facing such errors.

View solution in original post

Path Finder

The release notes stats that Windows Infrastructure 1.4.4 and Windows Addon 5.0.0 are not compatible yet. http://docs.splunk.com/Documentation/WindowsAddOn/latest/User/Releasenotes
Hence you might be facing such errors.

View solution in original post

Path Finder

I just saw that in the docs as well as during the application setup. Highest version can only be 4.8.4 right now.
OOPS!!! Thanks guys

0 Karma

Explorer

Hi Dipco,

Does downgrading your windows addon helped in fixing the issue ? even I have similar issue, so wanted to check if this solution worked.

0 Karma

Path Finder

Yes it did. It actually had the warning on the application setup screen if you read it. Feel a little stupid that I didn't read/see the error before I posted.

0 Karma

Explorer

Yeah same here, I thought 4.8 version or above 🙂 thanks for the reply. I will try it.

0 Karma

Contributor

Have you tried rerunning the Winfra app setup procedure? that usually clears lookup errors like that.

0 Karma

Path Finder

How do I rerun the app setup? Are you talking about the setup within the Windows Infrastructure application or do you mean to delete and re-add the application?

Just doing a rebuild on the lookups did not help.

Path Finder

Also - why is it complaining when I am not displaying Windows items or using the lookup. If I simply do a search with index=main or even index=_audit, I get the same 3 errors! Why?