Splunk Search

Error 'Could not find all of the specified lookup fields in the lookup table.'

LeandroKopke
Explorer

I'm having problems when doing splunk searches, always returning the error

[sp1p-splidx-sec-90] Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'WMI:WinEventLog:Application' and lookup table 'windows_signature_lookup'.
[sp1p-splidx-sec-90] Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'WMI:WinEventLog:Security' and lookup table 'windows_signature_lookup'.
[sp1p-splidx-sec-90] Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'WMI:WinEventLog:System' and lookup table 'windows_signature_lookup'.
[sp1p-splidx-sec-90] Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'WinEventLog' and lookup table 'windows_signature_lookup'.
[sp1p-splidx-sec-90] Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'XmlWinEventLog' and lookup table 'windows_signature_lookup'.
[sp1p-splidx-sec-90] Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'source::WinEventLog:Security' and lookup table 'windows_signature_lookup'.
[sp1p-splidx-sec-90] Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'wineventlog' and lookup table 'windows_signature_lookup'.
[sp1p-splidx-sec-90] Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'xmlwineventlog' and lookup table 'windows_signature_lookup'.
[sp1p-splidx-sec-90] Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'WMI:WinEventLog:Security' and lookup table 'windows_app_lookup'.
[sp1p-splidx-sec-90] Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'source::WinEventLog:Security' and lookup table 'windows_app_lookup'.
[sp1p-splidx-sec-90] Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'source::XmlWinEventLog:Security' and lookup table 'windows_app_lookup'.

This happens in all the searches I do in splunk. What can it be?

1 Solution

CarsonZa
Contributor

@mbharrellmtsu i came across this when i didn't read the release notes properly. Mine occurred because i upgraded exchange and my windows ta. unfortunately windows ta 5.0 is not compatible with the newest version rolling back to 4.8.4 (i believe) solved this for me

View solution in original post

worshamn
Contributor

I experienced this too and other people mentioned it in the comments but I think it is a good idea to list it as an answer for others who have the same problem. Looks to be caused by having old versions of Splunk App for Windows Infrastructure or Splunk App for Microsoft Exchange as stated in the release notes:

The Splunk Add-on for Windows 5.0.1 is not compatible with the Splunk App for Windows Infrastructure version 1.4.4 and the Splunk App for Microsoft Exchange version 3.4.4. Use the Splunk Add-on for Windows 4.8.4 if you want to use either of these apps.

CarsonZa
Contributor

@mbharrellmtsu i came across this when i didn't read the release notes properly. Mine occurred because i upgraded exchange and my windows ta. unfortunately windows ta 5.0 is not compatible with the newest version rolling back to 4.8.4 (i believe) solved this for me

pgadhari
Builder

I dont see any link for the windows add-on version 4.8.4 download ? If you know, can you share the download link please ?

0 Karma

mbharrellmtsu
Engager

Yes, that resolved the issue! We were running 5.0.0, but reverted back to 4.8.4 and there are no longer any lookup table errors. Thank you!

0 Karma

CarsonZa
Contributor

good to hear, since you found it useful please accept my answer.

0 Karma

CarsonZa
Contributor

what version of the windows ta do you have? do you have the exchange app or the windows infrastructure app?

0 Karma

mbharrellmtsu
Engager

We recently began experiencing this same issue after we upgraded Splunk from 6.4.1 to 7.1 for security reasons, but our apps for Windows AD and Exchange were incompatible so we installed all dependencies and upgraded the AD app (haven't made it to upgrading Exchange app yet). Then we began receiving the same error messages in splunkd.log when running any search.

I've had a hard time finding anyone else with this issue, aside from this question. What version of Splunk are you running, LeandroKopke?

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...