Hi,
Following the official instructions https://apps.splunk.com/apps/id/Splunk_TA_microsoft_sysmon ,
Splunk Add-on for Sysmon 4.0.0
I just deployed the addon for sysmon in my indexer, search head and deployment servers so I started to collect sysmon logs.
I am running Sysmon 15.14 on the endpoints. The logs started to flow into splunk but when I do searches on the index I constantly receive the following error:
[indexer.mydomain.es, mysearchhead.mydomain.es] Could not load lookup=LOOKUP-eventcode
I read the information in the https://docs.splunk.com/Documentation/AddOns/released/MSSysmon/Lookups but I couldnt find the root cause. The csv are in the path indicated in the documentation. 😕
Any suggestion?
many thanks
If you look under lookups, it should show that those are all set and defined. So double check lookup up tables files / Lookup definitions / Automatic Lookups and check sysmon app context.
Also check if there's another lookup with that name, sometimes I have seen another same name
#this should point to most of the sysmon TA code (transforms) or show another.
/opt/splunk/bin/splunk cmd btool transforms list eventcode --debug
If you look under lookups, it should show that those are all set and defined. So double check lookup up tables files / Lookup definitions / Automatic Lookups and check sysmon app context.
Also check if there's another lookup with that name, sometimes I have seen another same name
#this should point to most of the sysmon TA code (transforms) or show another.
/opt/splunk/bin/splunk cmd btool transforms list eventcode --debug
You were so right @deepakc ! Thanks a lot.
I had duplicate eventcode lookups created by Microsoft Windows Defender Add-on for Splunk and Splunk_TA_microsoft_sysmon
I just removed Defender Add-on which is not officially supported. I need to find some other with support that I guess will not generate this type of conflict. Do you have any suggestion for this ? 😉
No worries, glad it worked out out 🙂
I guess you can have same auto lookup attribute names inside the same App, that then point to look up files being used. but causes issues when same inside of another app (I know Splunk for saved searches sends a message with same name or duplicate, but I don’t think it does for lookups)
So, something like this alert may help
| rest splunk_server=local servicesNS/admin/search/data/props/lookups
| search attribute=LOOKUP-*
| stats count by attribute
```Filter or add ones that are OK as they may be other attributes that use similar lookups in the same App context```
```| search NOT attribute="LOOKUP-my_ok_lookup1" NOT attribute="LOOKUP- my_ok_lookup2"```
| eval duplicate=if(count > 1, "Yes", "No")
| where count > 1
You can then find out, explore if there are other apps that use the same name attribute:
Example in your case eventcode
| rest splunk_server=local servicesNS/admin/search/data/props/lookups
| search attribute=LOOKUP-eventcode
Have play and see if this helps.