Splunk Enterprise Security

App for Enterprise Security error: lookup_expander: Some extra fields were present in the input CSV

jaoui
Path Finder

The messages at the top of the screen populates with the following error:
lookup_expander: Some extra fields were present in the input CSV

I want to keep the extra fields in my lookup but I don't want my users to see the error message

Any ideas on what I should do?

0 Karma

jervin_splunk
Splunk Employee
Splunk Employee

Custom fields in asset and/or identity tables were prohibited by design beginning in Enterprise Security 2.2, which contained performance optimizations for asset and identity correlation.

However, we now have a patch that provides custom field support for Enterprise Security 2.4. To obtain it you should contact Support to open a case. Provide your exact Splunk and app version information, and we should be able to help.

0 Karma
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...