Getting Data In

Splunk Add-on for Sysmon - Could not load lookup=LOOKUP-eventcode

corti77
Contributor

Hi,

Following the official instructions https://apps.splunk.com/apps/id/Splunk_TA_microsoft_sysmon , 

Splunk Add-on for Sysmon 4.0.0

I just deployed the addon for sysmon in my indexer, search head and deployment servers so I started to collect sysmon logs.

I am running Sysmon 15.14 on the endpoints. The logs started to flow into splunk but when I do searches on the index I constantly receive the following error:

[indexer.mydomain.es, mysearchhead.mydomain.es] Could not load lookup=LOOKUP-eventcode

I read the information in the https://docs.splunk.com/Documentation/AddOns/released/MSSysmon/Lookups but I couldnt find the root cause. The csv are in the path indicated in the documentation. 😕

corti77_0-1718196239014.png

Any suggestion?

many thanks

 

 

 

Labels (1)
Tags (1)
0 Karma
1 Solution

deepakc
Builder

If you look under lookups,  it should show that those are all set and defined. So double check lookup up tables files / Lookup definitions / Automatic Lookups and check sysmon app context.

 Also check if there's another lookup with that name, sometimes I have seen another same name

 #this should point to most of the sysmon TA code (transforms) or show another.

/opt/splunk/bin/splunk cmd btool transforms list eventcode --debug

 

View solution in original post

deepakc
Builder

If you look under lookups,  it should show that those are all set and defined. So double check lookup up tables files / Lookup definitions / Automatic Lookups and check sysmon app context.

 Also check if there's another lookup with that name, sometimes I have seen another same name

 #this should point to most of the sysmon TA code (transforms) or show another.

/opt/splunk/bin/splunk cmd btool transforms list eventcode --debug

 

corti77
Contributor

You were so right @deepakc ! Thanks a lot.

I had duplicate eventcode lookups created by Microsoft Windows Defender Add-on for Splunk  and Splunk_TA_microsoft_sysmon

corti77_0-1718612789912.png

 

I just removed Defender Add-on which is not officially supported. I need to find some other with support that I guess will not generate this type of conflict. Do you have any suggestion for this ? 😉

 

 

 

0 Karma

deepakc
Builder

No worries, glad it worked out out 🙂  

0 Karma

deepakc
Builder

I guess you can have same auto lookup attribute names inside the same App, that then point to look up files being used.  but causes issues when same inside of another app (I know Splunk for saved searches sends a message with same name or duplicate, but I don’t think it does for lookups)

So, something like this alert may help

| rest splunk_server=local servicesNS/admin/search/data/props/lookups
| search attribute=LOOKUP-*
| stats count by attribute
```Filter or add ones that are OK as they may be other attributes that use similar lookups in the same App context```
```| search NOT attribute="LOOKUP-my_ok_lookup1" NOT attribute="LOOKUP- my_ok_lookup2"```
| eval duplicate=if(count > 1, "Yes", "No")
| where count > 1

 

You can then find out, explore if there are other apps that use the same name attribute:

Example in your case eventcode

| rest splunk_server=local servicesNS/admin/search/data/props/lookups
| search attribute=LOOKUP-eventcode

 

Have play and see if this helps.  

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...