The cause of this is, when using an SH Cluster, you are suggested initially to use the flag for not overwriting lookups (preserve_lookups) - the issue is that in 5.0.1 the automatic lookups for the Windows TA changed from using sourcetype to using source (since sourcetype is being consolidated in the app). For more information on this change, see this article: https://docs.splunk.com/Documentation/WindowsAddOn/8.1.2/User/UpgradeFromEarlierVersions#Upgrade_saved_searches The solution to remedy this is to either: Update the lookup file manually on the SH members GUI via file upload, which is "windows_apps.csv" Update the lookup file manually on the SH members GUI via search (see this answer from woodcock https://community.splunk.com/t5/All-Apps-and-Add-ons/After-Updating-the-Add-on-for-Windows-receive-error-quot-Could/m-p/454989/highlight/true#M55987)
... View more