Getting Data In

Splunk Add-on for Sysmon - Could not load lookup=LOOKUP-eventcode

corti77
Communicator

Hi,

Following the official instructions https://apps.splunk.com/apps/id/Splunk_TA_microsoft_sysmon , 

Splunk Add-on for Sysmon 4.0.0

I just deployed the addon for sysmon in my indexer, search head and deployment servers so I started to collect sysmon logs.

I am running Sysmon 15.14 on the endpoints. The logs started to flow into splunk but when I do searches on the index I constantly receive the following error:

[indexer.mydomain.es, mysearchhead.mydomain.es] Could not load lookup=LOOKUP-eventcode

I read the information in the https://docs.splunk.com/Documentation/AddOns/released/MSSysmon/Lookups but I couldnt find the root cause. The csv are in the path indicated in the documentation. 😕

corti77_0-1718196239014.png

Any suggestion?

many thanks

 

 

 

Labels (1)
Tags (1)
0 Karma
1 Solution

deepakc
Builder

If you look under lookups,  it should show that those are all set and defined. So double check lookup up tables files / Lookup definitions / Automatic Lookups and check sysmon app context.

 Also check if there's another lookup with that name, sometimes I have seen another same name

 #this should point to most of the sysmon TA code (transforms) or show another.

/opt/splunk/bin/splunk cmd btool transforms list eventcode --debug

 

View solution in original post

deepakc
Builder

If you look under lookups,  it should show that those are all set and defined. So double check lookup up tables files / Lookup definitions / Automatic Lookups and check sysmon app context.

 Also check if there's another lookup with that name, sometimes I have seen another same name

 #this should point to most of the sysmon TA code (transforms) or show another.

/opt/splunk/bin/splunk cmd btool transforms list eventcode --debug

 

corti77
Communicator

You were so right @deepakc ! Thanks a lot.

I had duplicate eventcode lookups created by Microsoft Windows Defender Add-on for Splunk  and Splunk_TA_microsoft_sysmon

corti77_0-1718612789912.png

 

I just removed Defender Add-on which is not officially supported. I need to find some other with support that I guess will not generate this type of conflict. Do you have any suggestion for this ? 😉

 

 

 

0 Karma

deepakc
Builder

No worries, glad it worked out out 🙂  

0 Karma

deepakc
Builder

I guess you can have same auto lookup attribute names inside the same App, that then point to look up files being used.  but causes issues when same inside of another app (I know Splunk for saved searches sends a message with same name or duplicate, but I don’t think it does for lookups)

So, something like this alert may help

| rest splunk_server=local servicesNS/admin/search/data/props/lookups
| search attribute=LOOKUP-*
| stats count by attribute
```Filter or add ones that are OK as they may be other attributes that use similar lookups in the same App context```
```| search NOT attribute="LOOKUP-my_ok_lookup1" NOT attribute="LOOKUP- my_ok_lookup2"```
| eval duplicate=if(count > 1, "Yes", "No")
| where count > 1

 

You can then find out, explore if there are other apps that use the same name attribute:

Example in your case eventcode

| rest splunk_server=local servicesNS/admin/search/data/props/lookups
| search attribute=LOOKUP-eventcode

 

Have play and see if this helps.  

 

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...