Receiving error: Could not load lookup=LOOKUP-splu...

mah · ‎04-14-2021

Hi,

I wanted to update splunk_security_essentials app (3.2.2 to 3.3.2) : after I did the restart, I have this error under all searches :

"Could not load lookup=LOOKUP-splunk_security_essentials"

I found out that there is an automatic lookup set like that :

I did a btool command and see this :

opt/splunk/bin/splunk btool props list --debug |grep LOOKUP-splunk_security_essentials

/opt/splunk/etc/apps/Splunk_Security_Essentials/default/props.conf LOOKUP-splunk_security_essentials = sse_content_exported_lookup search_title AS search_name OUTPUTNEW

What can I do to remove this error ?

Thanks for your help!

ChocolateRocket · ‎02-10-2024

i renamed and replaced the directory with fresh download.

Error has gone away but wondering if I broke a Security app that may have altered the files.

Splunk is so massively large that its daunting for Newbs. 🙂

Glad I seemed to have gotten rid of the error though.

m_pham · ‎11-08-2023

Are you still having this issue with the latest SSE app v3.7.1?

JusAnotherAdmin · ‎11-20-2023

I just did a clean install of 9.1.1 and then Splunk Security Essentials 3.7.1 and am getting this error. @m_pham

m_pham · ‎11-20-2023

There can be various reasons for this issue but here are the common ways to troubleshoot this error.

First and foremost,

- you need to track down the automatic lookup definition

- record the lookup definition name being referenced

- find the lookup definition and record the lookup table name and then go check the following:

Check if your lookup file exist - you can use the Lookup Editor app to check this or go to: Settings > Lookups > Lookup table files
Check if your lookup definition exist - you can check this by going to Settings > Lookups > Lookup definition If you are using an automatic lookup check the following:
1. Do you have the correct read permission to the lookup definition and lookup table?
2. If the permissions are correct, check the lookup table size (see step #3)
If you are using the lookup command:
1. Do you have permission to the lookup table or lookup definition?
2. Does your lookup definition exist?
3. Does your search runs fine with adding local=true to your lookup command? This means that your lookup isn't being replicated to the indexer cluster, see step #4.
Rare that this happens, but check the lookup table size for the lookup listed in the automatic lookup and check if it exceeds the size defined in [replicationSettings] in distsearch.conf. If the lookup table exceeds whatever size is defined there, the lookup error comes up.
Check if the lookup being used is in the deny list under distsearch.conf
1. btool distsearch list replicationBlacklist --debug
2. btool distsearch list replicationDenylist--debug

Update:
- I installed SSE app v3.7.1 on a new Nix host with Splunk v9.1.1 and I didn't see any lookup errors when I run a search. So I recommend you follow the troubleshooting steps above since I can't replicate the issue with a fresh app and Splunk install.

Orange_girl · ‎12-11-2023

Hi, I’m new to splunk and getting the same error message after upgrading splunk and the security essentials apps.
could you please help me understand how I can perform these steps:

First and foremost,

- you need to track down the automatic lookup definition

- record the lookup definition name being referenced

- find the lookup definition and record the lookup table name

m_pham · ‎12-12-2023

Hi - the numbered list provided step by step instructions on searching for the items I mentioned. In addition, the lookup errors you see in the UI usually tells you the name of the lookup related configuration that's having problems.

This doc page should help:

https://docs.splunk.com/Documentation/Splunk/9.1.2/Knowledge/Aboutlookupsandfieldactions#Lookup_defi...

joshiro · ‎07-18-2023

We recently encounter a similar error on some searches and we found out that the source of the problem was the KVStore failing to initialize because expired certificates.

After renewing the web certificates the error no longer shows up.

splunkreal · ‎06-20-2023

Hello, this issue has been seen in test environment not in production so we removed it from test environment without resolution.

* If this helps, please upvote or accept solution if it solved *

esafaei · ‎06-12-2023

Hi there!

I had same issue after upgrading from version 9.0.4.1 to 9.0.5.

The upgrade process had been started by root user and I had Permission issues with different files.

In my experience running the below command resolved the issue.

# chown -R splunk:splunk /opt/splunk

Good luck!

splunkreal · ‎06-20-2023

Hello,

this didn't help, hopefully this only happened in test env.

* If this helps, please upvote or accept solution if it solved *

tro · ‎12-02-2022

Same issue 😕

davvik · ‎02-01-2022

Did you manage to solve this?

aaron_barrett · ‎11-10-2021

I am also encountering this error on 3.4.0. Have you found a solution? Considering trying a rollback.

ChocolateRocket · ‎02-10-2024

New Windows install and getting this error.

Wish there was a simple fix as its polluting our POC for a large purchase to get away from other product(s).

Receiving error: Could not load lookup=LOOKUP-splunk_security_essentials

lookup

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?