Splunk Enterprise Security
Highlighted

Identity lookup Expanded

New Member

I tried to update the Identity lookup Expanded manually but i ended up deleting it. after that i started to get the below error messages:
he limit has been reached for log messages in info.csv. 23 messages have not been written to info.csv. Please refer to search.log for these messages or limits.conf to configure this limit.
[********.COM] Error 'Could not find all of the specified lookup fields in the lookup table.' for conf '(?::){0}XmlWinEventLog:' and lookup table 'identitylookupexpanded'.
[
******.COM] Error 'Could not find all of the specified lookup fields in the lookup table.' for conf '(?:::){0}snow:' and lookup table 'identitylookupexpanded'.
[
******.COM] Error 'Could not find all of the specified lookup fields in the lookup table.' for conf '(?i)source::....zip(.\d+)?' and lookup table 'identitylookupexpanded'.
[
*****.COM] Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'ActiveDirectory' and lookup table 'identitylookupexpanded'.
[
********.COM] Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'MSAD:NT6:DNS-Health' and lookup table 'identitylookupexpanded'

i managed to retrieve the old csv file and updated the "Identity lookup Expanded " file in splunk ((how i updated the "Identity lookup Expanded " is by uploading a new csv "x" which contains all the data and did |outputlookup Identity lookup Expanded ))

but still the same errors occurs.
should i wait until effect takes place or i need to something.

thanks in advance

0 Karma