All Apps and Add-ons

Why is the Windows App Lookup giving errors in Splunk App for Windows Infrastructure?

dlpco
Path Finder

After upgrading to Splunk Add-on for Microsoft Windows 5.0.0 and Splunk App for Windows Infrastructure 1.4.4 it seems I get the following errors ever query I put in:

Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'WMI:WinEventLog:Security' and lookup table 'windows_app_lookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'source::WinEventLog:Security' and lookup table 'windows_app_lookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'source::XmlWinEventLog:Security' and lookup table 'windows_app_lookup'.

I am unsure what the "for conf" stands for, but when I do a "|inputlookup windows_app_lookup" it does shows the file but no header is conf. It does show the 3 keys above.

1 Solution

bhargavnariyani
Path Finder

The release notes stats that Windows Infrastructure 1.4.4 and Windows Addon 5.0.0 are not compatible yet. http://docs.splunk.com/Documentation/WindowsAddOn/latest/User/Releasenotes
Hence you might be facing such errors.

View solution in original post

bhargavnariyani
Path Finder

The release notes stats that Windows Infrastructure 1.4.4 and Windows Addon 5.0.0 are not compatible yet. http://docs.splunk.com/Documentation/WindowsAddOn/latest/User/Releasenotes
Hence you might be facing such errors.

dlpco
Path Finder

I just saw that in the docs as well as during the application setup. Highest version can only be 4.8.4 right now.
OOPS!!! Thanks guys

0 Karma

RupeshMano
Explorer

Hi Dipco,

Does downgrading your windows addon helped in fixing the issue ? even I have similar issue, so wanted to check if this solution worked.

0 Karma

dlpco
Path Finder

Yes it did. It actually had the warning on the application setup screen if you read it. Feel a little stupid that I didn't read/see the error before I posted.

0 Karma

RupeshMano
Explorer

Yeah same here, I thought 4.8 version or above 🙂 thanks for the reply. I will try it.

0 Karma

darrenfuller
Contributor

Have you tried rerunning the Winfra app setup procedure? that usually clears lookup errors like that.

0 Karma

dlpco
Path Finder

How do I rerun the app setup? Are you talking about the setup within the Windows Infrastructure application or do you mean to delete and re-add the application?

Just doing a rebuild on the lookups did not help.

dlpco
Path Finder

Also - why is it complaining when I am not displaying Windows items or using the lookup. If I simply do a search with index=main or even index=_audit, I get the same 3 errors! Why?

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...