Splunk Enterprise Security

App for Enterprise Security error: lookup_expander: Some extra fields were present in the input CSV

jaoui
Path Finder

The messages at the top of the screen populates with the following error:
lookup_expander: Some extra fields were present in the input CSV

I want to keep the extra fields in my lookup but I don't want my users to see the error message

Any ideas on what I should do?

0 Karma

jervin_splunk
Splunk Employee
Splunk Employee

Custom fields in asset and/or identity tables were prohibited by design beginning in Enterprise Security 2.2, which contained performance optimizations for asset and identity correlation.

However, we now have a patch that provides custom field support for Enterprise Security 2.4. To obtain it you should contact Support to open a case. Provide your exact Splunk and app version information, and we should be able to help.

0 Karma
Get Updates on the Splunk Community!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...