Could not load lookup = lookup_table Indexer Insta...

erlindemberg · ‎02-07-2020

Hello, I would like to request help.

All searches that I do in my indexer, whether through search reporting or some dashboard, show the message "Could not load lookup = lookup_table".

The search is still being performed and this error only occurs in my indexer instance.

How can I be solving this problem?

nickhills · ‎02-07-2020

Is this a distributed deployment (ie seperate search heads and indexers) or a single server deployment (combined search & index server)

The way you have phrased it makes it sound like its distributed, in which case you should not be using your indexers for searching.

This message often occurs because a lookup is missing, (or is permissioned wrong).

-OR-

If you mean that you are running this search on a SH, but the indexers are reporting the error it could well be because the lookup is too big, and is not being distributed in the search bundle.

Look for errors in _internal which contain "ERROR DistributedBundleReplicationManager "

If my comment helps, please give it a thumbs up!

erlindemberg · ‎02-07-2020

My instances are separate search / indexer / heavy.

nickhills · ‎02-07-2020

So where do you see the error?
When Searching from the SH?

If my comment helps, please give it a thumbs up!

Could not load lookup = lookup_table Indexer Instance

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio