Solved: Why the error after updating the Add-on for Window...

wcates · ‎02-06-2019

We recently updated our Splunk add-on for Windows to 5.0.1, whenever searching we receive the error "Could not load lookup=LOOKUP-app4_for_windows_security" from all of our indexers and search head. We have no local configuration that overrides these lookups, so they are defined as the default from the app. Does anyone have ideas as to what could be causing this error?

dcottindustry · ‎02-07-2019

This problem happens because you likely have the Splunk App for Windows Infrastructure installed, which is not compatible. See the release notes for the Windows App here: https://docs.splunk.com/Documentation/WindowsAddOn/latest/User/Releasenotes

"The Splunk Add-on for Windows 5.0.1 is not compatible with the Splunk App for Windows Infrastructure version 1.4.4 and the Splunk App for Microsoft Exchange version 3.4.4. Use the Splunk Add-on for Windows 4.8.4 if you want to use either of these apps."

On my instance, removing the Windows Infrastructure application resolved the errors.

View solution in original post

haraksin · ‎03-23-2022

The cause of this is, when using an SH Cluster, you are suggested initially to use the flag for not overwriting lookups (preserve_lookups) - the issue is that in 5.0.1 the automatic lookups for the Windows TA changed from using sourcetype to using source (since sourcetype is being consolidated in the app). For more information on this change, see this article: https://docs.splunk.com/Documentation/WindowsAddOn/8.1.2/User/UpgradeFromEarlierVersions#Upgrade_sav...

The solution to remedy this is to either:

Update the lookup file manually on the SH members GUI via file upload, which is "windows_apps.csv"
Update the lookup file manually on the SH members GUI via search (see this answer from woodcock https://community.splunk.com/t5/All-Apps-and-Add-ons/After-Updating-the-Add-on-for-Windows-receive-e...)

kamaljagga · ‎01-19-2022

Run the following search in your windows infrastructure app, this will update the old csv merging changes of both the csvs.

mfiller_schell · ‎04-02-2020

Seeing similar errors even after I removed the splunk app for infrastructure, and also gutted the app for exchange. No more lookups from either of those apps exist now.

I verified that the new lookup tables exist on both the Indexers and Search Heads.

I went ahead and opened up the job inspector to find out what exactly the errors were and this is what it said in addition to could not load lookup table: "Could not find all the specified destination fields in the lookup table"

What I find weird is that it only errors out "app4" instead of 0,1,2 or 3. Even though they all use the same lookup file. I also get a second lookup error for the "Categorystring for windows" lookup.

haraksin · ‎03-23-2022

Did you remove the Splunk App for Windows Infrastructure, or just the Splunk App for Infrastructure? I didn't have the "Categorystring for windows" Error after removing the Splunk App for Windows Infrastructure, but I did have the app4 issue...

woodcock · ‎12-18-2019

It has to do with the fact that there was a switch in the Splunk_TA_windows from sourcetype as differentiator to source. Start with this search SPL to see the now-broken lookup file data:

|inputlookup windows_apps

If this pulls up data (it definitely will if you go into the Splunk App for Windows Infrastructure app which is the app that owns this lookup file), then expand to this SPL and run it to upgrade the lookup file to be compatible with the changes in the upgraded Splunk_TA_windows:

|inputlookup windows_apps
| eval sourcetype=source
|outputlookup windows_apps

hlouwes · ‎03-30-2020

Hi,

At first I changed, as mentioned before, the props.conf file and changed from sourcetype to source.

Next I ran the first SPL and it turned up with nothing. The expanded one gave me an error: "Error in 'outputlookup' command: The lookup table 'windows_apps' is invalid." Is there a way of (re)creating that table ?
The job inspector and search log gave me the same error.
Any advice/help is highly appreciated.

Kind regards,
Hlouwes

hlouwes · ‎04-03-2020

Hi Woodcock, sorry for the delay concerning my progress.

I opened the Splunk App for Windows Infrastructure and inside the app in the Search window I entered the search commands you specified but I keep getting the error stating that "windows_apps" is an invalid table.

Because I screwed up settings due to a wrong command we restored the server from the point before which I made some changes in the inputs.conf in order to try and fix several health checks due to missing stanzas. The Lookup-App4_for_windows_security now don't appear anymore. but the windows_apps table is still invalid.

Any other ideas or hints ?

Kind regards.

mitag · ‎04-09-2020

same story as @hlouwes: "The lookup table 'windows_apps' is invalid." when running the search inside the app. (Job settings show "App:
splunk_app_windows_infrastructure".)

woodcock · ‎03-30-2020

You need to run the command inside of the Splunk App for Windows Infrastructure so its knowledge objects are all in scope.

napomokoetle · ‎11-05-2019

Edit the windows_apps.csv lookup file for the "Splunk App for Windows Infrastructure" and change the "sourcetype" field name to "source" as referenced by the props.conf of the same Splunk App.

On a Splunk instace installed using default path the lookup file to edit is located on the following path...

$SPLUNK_HOME/etc/apps/splunk_app_windows_infrastructure/lookups/windows_apps.csv

snix · ‎03-09-2020

This also worked for me.

woodcock · ‎12-18-2019

See my answer for an easier non-admin, non-CLI method to implement this EXCELLENT solution.

dtrelford · ‎12-04-2019

This resolved the issue for me.

jschroederevers · ‎07-12-2019

In my test environment, where I have been playing around with Splunk_TA_windows (upgrading to 5.01 and then 6.00) and Splunk App for Windows Infrastructure 1.5.2, I found that I had an old windows_apps.csv file in the App for Windows Infrastructure lookups directory. It appeared to be from a previous install as 1.5.2 does not include it.

After installing TA 5.01, it updated the lookup definition, but it was still pointing to the old windows_apps.csv file which has the old "sourcetype" field. The new lookup definition looks at "source", so it couldn't complete the lookup. The error in the search log pointed me in the right direction - "Could not find all of the specified lookup fields in the lookup table".

I think it was grabbing the older lookup file, because of the configuration precedence rules, but don't quote me on that.

I deleted the old windows_apps.csv file from the App for Windows Infrastructure and now the lookup is using the new windows_apps.csv located in the TA lookups directory.

gurlest · ‎02-26-2019

We had the same error, but with a totally different cause.

When we deployed the bundle with the updated Splunk_TA_windows app from the Deployer to the Search Head Cluster, we used the "save lookups" option (as we always do) which caused the new lookup files not to be pushed to the SHC.

We were unsure whether a redeployment without the save-lookups option would accidentally overwrite other lookup directories that SHOULD be saved, so we manually pushed the new Splunk_TA_windows/lookups directory to each of the SHC members.

dcottindustry · ‎02-07-2019

This problem happens because you likely have the Splunk App for Windows Infrastructure installed, which is not compatible. See the release notes for the Windows App here: https://docs.splunk.com/Documentation/WindowsAddOn/latest/User/Releasenotes

"The Splunk Add-on for Windows 5.0.1 is not compatible with the Splunk App for Windows Infrastructure version 1.4.4 and the Splunk App for Microsoft Exchange version 3.4.4. Use the Splunk Add-on for Windows 4.8.4 if you want to use either of these apps."

On my instance, removing the Windows Infrastructure application resolved the errors.

Ranazar · ‎12-27-2019

Just FYI for any future readers. In my case I was using the Splunk App for Windows Infrastructure v2.0.0, which does not have a windows_apps.csv lookup file. But my search heads (I have a search cluster with a deployer server) still had the lookup file in the app's directory. I guess the deployment doesn't delete files.

My fix was to remove the splunk_app_windows_infrastructure directory from my search heads before re-deploying from the deployer. That way I didn't have leftover files from older versions of the app.

wcates · ‎02-07-2019

Hmm that is interesting. I had seen that warning, however I upgraded the Splunk App for Windows Infrastructure to 1.5.1 which claims to support the latest version of the add-on. That said, when I disable the infrastructure app it resolves the errors so I guess there is still some bugs that need to be worked out. Thank you for your suggestion.

lakshman239 · ‎02-07-2019

Pls check if you have lookups/windows_apps.csv file present under $SPLUNK_HOME/etc/apps/Splunk_TA_Windows in both you indexers and SH. As, the default/props.conf and transforms.conf refer to this file using the above transform.

If you don't have it, please re-install or copy from another clean install.

Why the error after updating the Add-on for Windows "Could not load lookup=LOOKUP-app4_for_windows_security"?

other

upgrade

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?