Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

help on could not load lookup message

jip31
Motivator
‎10-04-2023 01:04 AM

Hello

When I run a search i have the message "could not load lookup" with different lookup name

For example :

Could not load lookup=LOOKUP-Kerberosfailurecode

Could not load lookup=LOOKUP-Kerberosresultcode

Could not load lookup=LOOKUP-syscall

I had a look in the lookup definition menu and I can see that some lookup are referenced to my splunk apps even if i dont use these lookups in my apps!

But i can change the name of the apps

Is it possible to change it?

Moreover, some lookup like "syscall" doesnt exists in my lookup definition menu

so how to solve this issue please?

 

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-04-2023 02:25 PM

This probably means that they are defined as automatic lookups, so will always be executed if the matching conditions are true for that lookup definition, e.g. it is the correct sourcetype.

The fact that it is failing could be that you don't have permissions to see some part of the lookup or that the lookup is not present and the definition is trying to refer to a non existent lookup, or that the automatic lookup definition is wrong. For example you can cause this problem by creating a field in the automatic lookup that does not exist in the lookup file and you will get this message.

Do you have a Splunk sys admin - they should look at this to find out what is wrong with the automatic lookup.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-04-2023 02:25 PM

This probably means that they are defined as automatic lookups, so will always be executed if the matching conditions are true for that lookup definition, e.g. it is the correct sourcetype.

The fact that it is failing could be that you don't have permissions to see some part of the lookup or that the lookup is not present and the definition is trying to refer to a non existent lookup, or that the automatic lookup definition is wrong. For example you can cause this problem by creating a field in the automatic lookup that does not exist in the lookup file and you will get this message.

Do you have a Splunk sys admin - they should look at this to find out what is wrong with the automatic lookup.

0 Karma
Reply
Solved! Jump to solution

jip31
Motivator
‎10-05-2023 10:13 PM

Thanks

No sys admin unfortunately

So im going to try to correct it...

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...