Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

help on could not load lookup message

jip31
Motivator
‎10-04-2023 01:04 AM

Hello

When I run a search i have the message "could not load lookup" with different lookup name

For example :

Could not load lookup=LOOKUP-Kerberosfailurecode

Could not load lookup=LOOKUP-Kerberosresultcode

Could not load lookup=LOOKUP-syscall

I had a look in the lookup definition menu and I can see that some lookup are referenced to my splunk apps even if i dont use these lookups in my apps!

But i can change the name of the apps

Is it possible to change it?

Moreover, some lookup like "syscall" doesnt exists in my lookup definition menu

so how to solve this issue please?

 

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-04-2023 02:25 PM

This probably means that they are defined as automatic lookups, so will always be executed if the matching conditions are true for that lookup definition, e.g. it is the correct sourcetype.

The fact that it is failing could be that you don't have permissions to see some part of the lookup or that the lookup is not present and the definition is trying to refer to a non existent lookup, or that the automatic lookup definition is wrong. For example you can cause this problem by creating a field in the automatic lookup that does not exist in the lookup file and you will get this message.

Do you have a Splunk sys admin - they should look at this to find out what is wrong with the automatic lookup.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-04-2023 02:25 PM

This probably means that they are defined as automatic lookups, so will always be executed if the matching conditions are true for that lookup definition, e.g. it is the correct sourcetype.

The fact that it is failing could be that you don't have permissions to see some part of the lookup or that the lookup is not present and the definition is trying to refer to a non existent lookup, or that the automatic lookup definition is wrong. For example you can cause this problem by creating a field in the automatic lookup that does not exist in the lookup file and you will get this message.

Do you have a Splunk sys admin - they should look at this to find out what is wrong with the automatic lookup.

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎10-05-2023 10:13 PM

Thanks

No sys admin unfortunately

So im going to try to correct it...

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...