Splunk Search

Receiving error: Could not load lookup=LOOKUP-splunk_security_essentials

mah
Builder

Hi, 

I wanted to update splunk_security_essentials app (3.2.2 to 3.3.2) : after I did the restart, I have this error under all searches : 

"Could not load lookup=LOOKUP-splunk_security_essentials"

I found out that there is an automatic lookup set like that : 

mah_0-1618408146734.png

mah_2-1618408199958.png

I did a btool command and see this :

opt/splunk/bin/splunk btool props list --debug |grep LOOKUP-splunk_security_essentials

/opt/splunk/etc/apps/Splunk_Security_Essentials/default/props.conf LOOKUP-splunk_security_essentials = sse_content_exported_lookup search_title AS search_name OUTPUTNEW

What can I  do to remove this error ? 

Thanks for your help! 

Labels (1)

ChocolateRocket
Explorer

i renamed and replaced the directory with fresh download.

Error has gone away but wondering if I broke a Security app that may have altered the files.

Splunk is so massively large that its daunting for Newbs. 🙂

Glad I seemed to have gotten rid of the error though.

0 Karma

m_pham
Splunk Employee
Splunk Employee

Are you still having this issue with the latest SSE app v3.7.1? 

0 Karma

JusAnotherAdmin
Engager

I just did a clean install of 9.1.1 and then Splunk Security Essentials 3.7.1 and am getting this error. @m_pham 

0 Karma

m_pham
Splunk Employee
Splunk Employee

There can be various reasons for this issue but here are the common ways to troubleshoot this error.

First and foremost,

- you need to track down the automatic lookup definition

- record the lookup definition name being referenced

- find the lookup definition and record the lookup table name and then go check the following:

 

  1. Check if your lookup file exist - you can use the Lookup Editor app to check this or go to: Settings > Lookups > Lookup table files

  2. Check if your lookup definition exist - you can check this by going to Settings > Lookups > Lookup definition If you are using an automatic lookup check the following:

    1. Do you have the correct read permission to the lookup definition and lookup table?

    2. If the permissions are correct, check the lookup table size (see step #3)

  3. If you are using the lookup command:

    1. Do you have permission to the lookup table or lookup definition?

    2. Does your lookup definition exist?

    3. Does your search runs fine with adding local=true to your lookup command? This means that your lookup isn't being replicated to the indexer cluster, see step #4.

  4. Rare that this happens, but check the lookup table size for the lookup listed in the automatic lookup and check if it exceeds the size defined in [replicationSettings] in distsearch.conf. If the lookup table exceeds whatever size is defined there, the lookup error comes up.

  5. Check if the lookup being used is in the deny list under distsearch.conf
    1. btool distsearch list replicationBlacklist --debug
    2. btool distsearch list replicationDenylist--debug

Update:
- I installed SSE app v3.7.1 on a new Nix host with Splunk v9.1.1 and I didn't see any lookup errors when I run a search. So I recommend you follow the troubleshooting steps above since I can't replicate the issue with a fresh app and Splunk install.

Orange_girl
Loves-to-Learn Everything

Hi, I’m new to splunk and getting the same error message after upgrading splunk and the security essentials apps. 
could you please help me understand how I can perform these steps:

First and foremost,

- you need to track down the automatic lookup definition

- record the lookup definition name being referenced

- find the lookup definition and record the lookup table name

0 Karma

m_pham
Splunk Employee
Splunk Employee

Hi - the numbered list provided step by step instructions on searching for the items I mentioned. In addition, the lookup errors you see in the UI usually tells you the name of the lookup related configuration that's having problems.

This doc page should help:

https://docs.splunk.com/Documentation/Splunk/9.1.2/Knowledge/Aboutlookupsandfieldactions#Lookup_defi...

0 Karma

joshiro
Communicator

We recently encounter a similar error on some searches and we found out that the source of the problem was the KVStore failing to initialize because expired certificates.

After renewing the web certificates the error no longer shows up.

0 Karma

splunkreal
Motivator

Hello, this issue has been seen in test environment not in production so we removed it from test environment without resolution.

* If this helps, please upvote or accept solution if it solved *
0 Karma

esafaei
Explorer

Hi there!

I had same issue after upgrading from version 9.0.4.1 to 9.0.5.

The upgrade process had been started by root user and I had Permission issues with different files. 

In my experience running the below command resolved the issue.

# chown -R splunk:splunk /opt/splunk

Good luck!

0 Karma

splunkreal
Motivator

Hello,

this didn't help, hopefully this only happened in test env.

* If this helps, please upvote or accept solution if it solved *
0 Karma

tro
Path Finder

Same issue 😕

0 Karma

davvik
Engager

Did you manage to solve this?

0 Karma

aaron_barrett
New Member

I am also encountering this error on 3.4.0. Have you found a solution? Considering trying a rollback.

0 Karma

ChocolateRocket
Explorer

New Windows install and getting this error.

 

Wish there was a simple fix as its polluting our POC for a large purchase to get away from other product(s).

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...