I tried to update the Identity lookup Expanded manually but i ended up deleting it. after that i started to get the below error messages:
he limit has been reached for log messages in info.csv. 23 messages have not been written to info.csv. Please refer to search.log for these messages or limits.conf to configure this limit.
[********.COM] Error 'Could not find all of the specified lookup fields in the lookup table.' for conf '(?::){0}XmlWinEventLog:' and lookup table 'identity_lookup_expanded'.
[******.COM] Error 'Could not find all of the specified lookup fields in the lookup table.' for conf '(?:::){0}snow:' and lookup table 'identity_lookup_expanded'.
[******.COM] Error 'Could not find all of the specified lookup fields in the lookup table.' for conf '(?i)source::....zip(.\d+)?' and lookup table 'identity_lookup_expanded'.
[*****.COM] Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'ActiveDirectory' and lookup table 'identity_lookup_expanded'.
[********.COM] Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'MSAD:NT6:DNS-Health' and lookup table 'identity_lookup_expanded'
i managed to retrieve the old csv file and updated the "Identity lookup Expanded " file in splunk ((how i updated the "Identity lookup Expanded " is by uploading a new csv "x" which contains all the data and did |outputlookup Identity lookup Expanded ))
but still the same errors occurs.
should i wait until effect takes place or i need to something.
thanks in advance
