Hello Splunkers,
I keep getting the error message "Could not load lookup=LOOKUP-app_proto" in multiple apps on multiple dashboards. I have checked settings and neither the lookup file or definition existed and I can't figure out what is asking for this lookup. I can't find a reference to a lookup by that name in any documentation or on any of the Splunk sites. I have created a lookup with a matching name but I don't know where to put it. I added it to the search app but I still got the error, then I added it to an app getting the error and that didn't work either. Basic system info is below, let me know what other info you would like and I will provide it as soon as I can. Thanks for reading.
Stand-alone Splunk Enterprise
Version: 7.3.0
Build: 657388c7a488
CIM: 4.13.0
Apps: (Not all apps listed)
InfoSec App for Splunk (getting error on some dashboards)
Network Traffic App for Splunk (not getting the error)
Cisco Security Suite (getting error on all dashboards)
Obelisk Threat Intel (getting error on all "Splash" page dashboards)
Splunk Security Essentials (getting error on "app awareness" dashboards)
Splunk Stream (getting error on all informational dashboards)
Firegen for Cisco ASA (getting error on all summary page dashboards)
Cisco Firepower App for Splunk (getting error on all default dashboards)
comment converted to answer
**SOLUTION
I found the culprit, it was the Splunk Stream app.
Searching automatic lookups for "*LOOKUP-app_proto" shows 10 auto lookups. Here are the first 3. The other 7 follow the same format. (stream:XXX : LOOKUP-app_proto)
stream:dhcp : LOOKUP-app_proto
stream:dns : LOOKUP-app_proto
stream:http : LOOKUP-app_proto
Searching both "Settings->lookup->Lookup table file" and "Settings->lookup->Lookup definitions" for the same string (*LOOKUP-app_proto) returns no results.
Looking at these auto lookups, they list the "lookup definition" as stream_app_lookup, checking there showed "stream_app_lookup" was present but listed "supported fields" as none. Next, I checked the Lookup table files and found that "stream_app_lookup" was not present. (This should have been created when the Stream app was installed.)
Searching the splunk directory for "*app_lookup.csv" showed the file in Splunk\etc\apps\splunk_app_stream\install\Splunk_TA_stream\lookups\
I created a new lookup table file using the name "stream_app_lookup" and the found file. I set the app as "splunk_app_stream" and the permissions as global.
The error has stopped.
Thanks
I had the same error, but a different fix.
I had actually created a lookup with same name as an existing lookup, but with different fields. This name collision was causing the error. I changed the name of the new lookup and the errors went away.
I honestly wouldn't have found my issue if it wasn't for this thread.
comment converted to answer
**SOLUTION
I found the culprit, it was the Splunk Stream app.
Searching automatic lookups for "*LOOKUP-app_proto" shows 10 auto lookups. Here are the first 3. The other 7 follow the same format. (stream:XXX : LOOKUP-app_proto)
stream:dhcp : LOOKUP-app_proto
stream:dns : LOOKUP-app_proto
stream:http : LOOKUP-app_proto
Searching both "Settings->lookup->Lookup table file" and "Settings->lookup->Lookup definitions" for the same string (*LOOKUP-app_proto) returns no results.
Looking at these auto lookups, they list the "lookup definition" as stream_app_lookup, checking there showed "stream_app_lookup" was present but listed "supported fields" as none. Next, I checked the Lookup table files and found that "stream_app_lookup" was not present. (This should have been created when the Stream app was installed.)
Searching the splunk directory for "*app_lookup.csv" showed the file in Splunk\etc\apps\splunk_app_stream\install\Splunk_TA_stream\lookups\
I created a new lookup table file using the name "stream_app_lookup" and the found file. I set the app as "splunk_app_stream" and the permissions as global.
The error has stopped.
Thanks
hey eliasit,
can you suggest some inputs in integrating the splunk_app_stream to get the dns logs, seems its not fetching the data from dns servers when I tried installing splfwdrs in dns server via deployment server.
There can be another issue which might cause this error, the issue is explained below. If you mess up with input and output lookup fields then it can result in the same error.
For example, consider a sample lookup file with fields: mac_id and the same field in events is mac_orig.
mac_id = mac_orig
and this should show up in lookup definition as:
mac_id as mac_orig,
If this order is reversed then the above error is seen.
When you create a lookup definition at splunk, you have to run a command at splunk, to refresh the new configuration, because sometimes splunk does not recognise the new configuration. there two ways to do it
1 - run the command debug refresh, this commando will make splunk to get the new lookup definition, this happened with myself several times. I am only able to get the lookup working properly after I run this process. It does not restart the splunk service, only reload the configuration definitions.
-> http://servername:8000/en-GB/debug/refresh
2 - restart the splunk service
Remember that all the configuration for the lookup definitions have to be done before you run this command.
Here is a link to document about lookup files -> https://docs.splunk.com/Documentation/Splunk/7.3.2/Knowledge/Addfieldsfromexternaldatasources
@Vijeta
Looking back at my reply I realize my response was incomplete.
There are no automatic lookups listed under that name (LOOKUP-app_proto).
Thanks
@eliasit - Did you check under Seetings->lookup->automatic lookup. Is the lookup present there , probably the permissions are not correct, that is why you are seeing the error.
@Vijeta
Sorry this reply is a week late. I didn't get a notification about your reply.
There are no automatic lookups listed.