All Apps and Add-ons

Why the error after updating the Add-on for Windows "Could not load lookup=LOOKUP-app4_for_windows_security"?

wcates
Explorer

We recently updated our Splunk add-on for Windows to 5.0.1, whenever searching we receive the error "Could not load lookup=LOOKUP-app4_for_windows_security" from all of our indexers and search head. We have no local configuration that overrides these lookups, so they are defined as the default from the app. Does anyone have ideas as to what could be causing this error?

Labels (2)
1 Solution

dcottindustry
Explorer

This problem happens because you likely have the Splunk App for Windows Infrastructure installed, which is not compatible. See the release notes for the Windows App here: https://docs.splunk.com/Documentation/WindowsAddOn/latest/User/Releasenotes

"The Splunk Add-on for Windows 5.0.1 is not compatible with the Splunk App for Windows Infrastructure version 1.4.4 and the Splunk App for Microsoft Exchange version 3.4.4. Use the Splunk Add-on for Windows 4.8.4 if you want to use either of these apps."

On my instance, removing the Windows Infrastructure application resolved the errors.

View solution in original post

haraksin
Path Finder

The cause of this is, when using an SH Cluster, you are suggested initially to use the flag for not overwriting lookups (preserve_lookups) - the issue is that in 5.0.1 the automatic lookups for the Windows TA changed from using sourcetype to using source (since sourcetype is being consolidated in the app). For more information on this change, see this article: https://docs.splunk.com/Documentation/WindowsAddOn/8.1.2/User/UpgradeFromEarlierVersions#Upgrade_sav...

The solution to remedy this is to either:

  1. Update the lookup file manually on the SH members GUI via file upload, which is "windows_apps.csv"
  2. Update the lookup file manually on the SH members GUI via search (see this answer from woodcock https://community.splunk.com/t5/All-Apps-and-Add-ons/After-Updating-the-Add-on-for-Windows-receive-e...)
0 Karma

kamaljagga
Path Finder

Run the following search in your windows infrastructure app, this will update the old csv merging changes of both the csvs.

| inputlookup windows_apps.csv
| eval source=sourcetype
| append [ makeresults | eval EventCode="NA" | eval Source_Network_Address="NA" | eval Target_Server_Name="NA" | eval Logon_Type="NA" | eval app="win:unknown" | eval source="XmlWinEventLog:Security" | eval sourcetype="XmlWinEventLog:Security" ]
| append [ makeresults | eval EventCode="NA" | eval Source_Network_Address="NA" | eval Target_Server_Name="NA" | eval Logon_Type="NA" | eval app="win:unknown" | eval source="WMI:WinEventLog:Security" | eval sourcetype="WMI:WinEventLog:Security" ]
| fields - _time
| outputlookup windows_apps.csv

0 Karma

mfiller_schell
Engager

Seeing similar errors even after I removed the splunk app for infrastructure, and also gutted the app for exchange. No more lookups from either of those apps exist now.

I verified that the new lookup tables exist on both the Indexers and Search Heads.

I went ahead and opened up the job inspector to find out what exactly the errors were and this is what it said in addition to could not load lookup table: "Could not find all the specified destination fields in the lookup table"

What I find weird is that it only errors out "app4" instead of 0,1,2 or 3. Even though they all use the same lookup file. I also get a second lookup error for the "Categorystring for windows" lookup.

0 Karma

haraksin
Path Finder

Did you remove the Splunk App for Windows Infrastructure, or just the Splunk App for Infrastructure? I didn't have the "Categorystring for windows" Error after removing the Splunk App for Windows Infrastructure, but I did have the app4 issue...

0 Karma

woodcock
Esteemed Legend

It has to do with the fact that there was a switch in the Splunk_TA_windows from sourcetype as differentiator to source. Start with this search SPL to see the now-broken lookup file data:

|inputlookup windows_apps

If this pulls up data (it definitely will if you go into the Splunk App for Windows Infrastructure app which is the app that owns this lookup file), then expand to this SPL and run it to upgrade the lookup file to be compatible with the changes in the upgraded Splunk_TA_windows:

|inputlookup windows_apps
| eval sourcetype=source
|outputlookup windows_apps

hlouwes
New Member

Hi,

At first I changed, as mentioned before, the props.conf file and changed from sourcetype to source.

Next I ran the first SPL and it turned up with nothing. The expanded one gave me an error: "Error in 'outputlookup' command: The lookup table 'windows_apps' is invalid." Is there a way of (re)creating that table ?
The job inspector and search log gave me the same error.
Any advice/help is highly appreciated.

Kind regards,
Hlouwes

0 Karma

hlouwes
New Member

Hi Woodcock, sorry for the delay concerning my progress.

I opened the Splunk App for Windows Infrastructure and inside the app in the Search window I entered the search commands you specified but I keep getting the error stating that "windows_apps" is an invalid table.

Because I screwed up settings due to a wrong command we restored the server from the point before which I made some changes in the inputs.conf in order to try and fix several health checks due to missing stanzas. The Lookup-App4_for_windows_security now don't appear anymore. but the windows_apps table is still invalid.

Any other ideas or hints ?

Kind regards.

0 Karma

mitag
Contributor

same story as @hlouwes: "The lookup table 'windows_apps' is invalid." when running the search inside the app. (Job settings show "App:
splunk_app_windows_infrastructure".)

0 Karma

woodcock
Esteemed Legend

You need to run the command inside of the Splunk App for Windows Infrastructure so its knowledge objects are all in scope.

0 Karma

napomokoetle
Communicator

Edit the windows_apps.csv lookup file for the "Splunk App for Windows Infrastructure" and change the "sourcetype" field name to "source" as referenced by the props.conf of the same Splunk App.

On a Splunk instace installed using default path the lookup file to edit is located on the following path...

$SPLUNK_HOME/etc/apps/splunk_app_windows_infrastructure/lookups/windows_apps.csv

alt text

snix
Communicator

This also worked for me.

0 Karma

woodcock
Esteemed Legend

See my answer for an easier non-admin, non-CLI method to implement this EXCELLENT solution.

0 Karma

dtrelford
Path Finder

This resolved the issue for me.

jschroederevers
Explorer

In my test environment, where I have been playing around with Splunk_TA_windows (upgrading to 5.01 and then 6.00) and Splunk App for Windows Infrastructure 1.5.2, I found that I had an old windows_apps.csv file in the App for Windows Infrastructure lookups directory. It appeared to be from a previous install as 1.5.2 does not include it.

After installing TA 5.01, it updated the lookup definition, but it was still pointing to the old windows_apps.csv file which has the old "sourcetype" field. The new lookup definition looks at "source", so it couldn't complete the lookup. The error in the search log pointed me in the right direction - "Could not find all of the specified lookup fields in the lookup table".

I think it was grabbing the older lookup file, because of the configuration precedence rules, but don't quote me on that.

I deleted the old windows_apps.csv file from the App for Windows Infrastructure and now the lookup is using the new windows_apps.csv located in the TA lookups directory.

gurlest
Path Finder

We had the same error, but with a totally different cause.

When we deployed the bundle with the updated Splunk_TA_windows app from the Deployer to the Search Head Cluster, we used the "save lookups" option (as we always do) which caused the new lookup files not to be pushed to the SHC.

We were unsure whether a redeployment without the save-lookups option would accidentally overwrite other lookup directories that SHOULD be saved, so we manually pushed the new Splunk_TA_windows/lookups directory to each of the SHC members.

dcottindustry
Explorer

This problem happens because you likely have the Splunk App for Windows Infrastructure installed, which is not compatible. See the release notes for the Windows App here: https://docs.splunk.com/Documentation/WindowsAddOn/latest/User/Releasenotes

"The Splunk Add-on for Windows 5.0.1 is not compatible with the Splunk App for Windows Infrastructure version 1.4.4 and the Splunk App for Microsoft Exchange version 3.4.4. Use the Splunk Add-on for Windows 4.8.4 if you want to use either of these apps."

On my instance, removing the Windows Infrastructure application resolved the errors.

Ranazar
Path Finder

Just FYI for any future readers. In my case I was using the Splunk App for Windows Infrastructure v2.0.0, which does not have a windows_apps.csv lookup file. But my search heads (I have a search cluster with a deployer server) still had the lookup file in the app's directory. I guess the deployment doesn't delete files.

My fix was to remove the splunk_app_windows_infrastructure directory from my search heads before re-deploying from the deployer. That way I didn't have leftover files from older versions of the app.

wcates
Explorer

Hmm that is interesting. I had seen that warning, however I upgraded the Splunk App for Windows Infrastructure to 1.5.1 which claims to support the latest version of the add-on. That said, when I disable the infrastructure app it resolves the errors so I guess there is still some bugs that need to be worked out. Thank you for your suggestion.

0 Karma

lakshman239
Influencer

Pls check if you have lookups/windows_apps.csv file present under $SPLUNK_HOME/etc/apps/Splunk_TA_Windows in both you indexers and SH. As, the default/props.conf and transforms.conf refer to this file using the above transform.

If you don't have it, please re-install or copy from another clean install.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...