Solved: [idx-1,idx-2,sh-2] Could not load lookup=LOOKUP-th...

SplunkNinja · ‎05-10-2024

I am seeing the following alert on the Searching and Reporting App and also within the InfoSec App for Splunk.

[idx-1,idx-2,sh-2] Could not load lookup=LOOKUP-threatprotect-severity

I am not sure how to go about troubleshooting this further. Thx.

gcusello · ‎05-10-2024

search in the lookups and in the lookup definitions the automatic lookup named "threatprotect-severity", probably it's missed or there are some missed fields, called by your searches, in the lookup definition.

Ciao.

Giuseppe

View solution in original post

SplunkNinja · ‎05-14-2024

I narrowed the issue down to an add-on and then updated to the latest version. This fixed the problem. Thanks for you help @gcusello and @PickleRick

gcusello · ‎05-14-2024

Hi @SplunkNinja ,

good for you, see next time!

let us know if we can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

gcusello · ‎05-10-2024

Hi @SplunkNinja ,

search in the lookups and in the lookup definitions the automatic lookup named "threatprotect-severity", probably it's missed or there are some missed fields, called by your searches, in the lookup definition.

Ciao.

Giuseppe

PickleRick · ‎05-11-2024

And check permissions. The lookup itself might be OK but you might not have permissions to use it.

[idx-1,idx-2,sh-2] Could not load lookup=LOOKUP-threatprotect-severity

lookup

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024