Splunk Search

Error 'Could not find all of the specified lookup fields in the lookup table.'

LeandroKopke
Explorer

I'm having problems when doing splunk searches, always returning the error

[sp1p-splidx-sec-90] Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'WMI:WinEventLog:Application' and lookup table 'windows_signature_lookup'.
[sp1p-splidx-sec-90] Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'WMI:WinEventLog:Security' and lookup table 'windows_signature_lookup'.
[sp1p-splidx-sec-90] Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'WMI:WinEventLog:System' and lookup table 'windows_signature_lookup'.
[sp1p-splidx-sec-90] Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'WinEventLog' and lookup table 'windows_signature_lookup'.
[sp1p-splidx-sec-90] Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'XmlWinEventLog' and lookup table 'windows_signature_lookup'.
[sp1p-splidx-sec-90] Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'source::WinEventLog:Security' and lookup table 'windows_signature_lookup'.
[sp1p-splidx-sec-90] Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'wineventlog' and lookup table 'windows_signature_lookup'.
[sp1p-splidx-sec-90] Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'xmlwineventlog' and lookup table 'windows_signature_lookup'.
[sp1p-splidx-sec-90] Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'WMI:WinEventLog:Security' and lookup table 'windows_app_lookup'.
[sp1p-splidx-sec-90] Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'source::WinEventLog:Security' and lookup table 'windows_app_lookup'.
[sp1p-splidx-sec-90] Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'source::XmlWinEventLog:Security' and lookup table 'windows_app_lookup'.

This happens in all the searches I do in splunk. What can it be?

1 Solution

CarsonZa
Contributor

@mbharrellmtsu i came across this when i didn't read the release notes properly. Mine occurred because i upgraded exchange and my windows ta. unfortunately windows ta 5.0 is not compatible with the newest version rolling back to 4.8.4 (i believe) solved this for me

View solution in original post

worshamn
Contributor

I experienced this too and other people mentioned it in the comments but I think it is a good idea to list it as an answer for others who have the same problem. Looks to be caused by having old versions of Splunk App for Windows Infrastructure or Splunk App for Microsoft Exchange as stated in the release notes:

The Splunk Add-on for Windows 5.0.1 is not compatible with the Splunk App for Windows Infrastructure version 1.4.4 and the Splunk App for Microsoft Exchange version 3.4.4. Use the Splunk Add-on for Windows 4.8.4 if you want to use either of these apps.

CarsonZa
Contributor

@mbharrellmtsu i came across this when i didn't read the release notes properly. Mine occurred because i upgraded exchange and my windows ta. unfortunately windows ta 5.0 is not compatible with the newest version rolling back to 4.8.4 (i believe) solved this for me

pgadhari
Builder

I dont see any link for the windows add-on version 4.8.4 download ? If you know, can you share the download link please ?

0 Karma

mbharrellmtsu
Engager

Yes, that resolved the issue! We were running 5.0.0, but reverted back to 4.8.4 and there are no longer any lookup table errors. Thank you!

0 Karma

CarsonZa
Contributor

good to hear, since you found it useful please accept my answer.

0 Karma

CarsonZa
Contributor

what version of the windows ta do you have? do you have the exchange app or the windows infrastructure app?

0 Karma

mbharrellmtsu
Engager

We recently began experiencing this same issue after we upgraded Splunk from 6.4.1 to 7.1 for security reasons, but our apps for Windows AD and Exchange were incompatible so we installed all dependencies and upgraded the AD app (haven't made it to upgrading Exchange app yet). Then we began receiving the same error messages in splunkd.log when running any search.

I've had a hard time finding anyone else with this issue, aside from this question. What version of Splunk are you running, LeandroKopke?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...