Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Could not load lookup=LOOKUP-record_type

xenomorph
Loves-to-Learn Lots
‎09-04-2024 10:56 AM

 WE updated the Sysmon add-on from 3.x to 4.0.1 (latest) on a search head cluster. After, we're getting errors about how the node we're on and the indexers can't load a lookup

(Could not load lookup=LOOKUP-record_type).

Labels (1)
Labels
0 Karma
Reply

xenomorph
Loves-to-Learn Lots
‎09-04-2024 11:00 AM

many thanks to Ryan McGinn

0 Karma
Reply

xenomorph
Loves-to-Learn Lots
‎09-04-2024 10:59 AM

In Splunk_TA_microsoft_sysmon\default\app.conf or Splunk_TA_microsoft_sysmon\local\app.conf add the following then deploy the SHC bundle 

[shclustering]
deployer_lookups_push_mode = always_overwrite

In the app.conf seems the best way for the sysmon TA

0 Karma
Reply

xenomorph
Loves-to-Learn Lots
‎09-04-2024 10:57 AM

the -preserve-lookups true option when we did the SHC bundle push and the add-on's 3.x version of the lookup had a different field name (record_type ) vs the version in 4.x which is record_type_id.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...