Re: Could not load lookup = lookup_table Indexer I...

erlindemberg · ‎02-07-2020

Hello, I would like to request help.

All searches that I do in my indexer, whether through search reporting or some dashboard, show the message "Could not load lookup = lookup_table".

The search is still being performed and this error only occurs in my indexer instance.

How can I be solving this problem?

nickhills · ‎02-07-2020

Is this a distributed deployment (ie seperate search heads and indexers) or a single server deployment (combined search & index server)

The way you have phrased it makes it sound like its distributed, in which case you should not be using your indexers for searching.

This message often occurs because a lookup is missing, (or is permissioned wrong).

-OR-

If you mean that you are running this search on a SH, but the indexers are reporting the error it could well be because the lookup is too big, and is not being distributed in the search bundle.

Look for errors in _internal which contain "ERROR DistributedBundleReplicationManager "

If my comment helps, please give it a thumbs up!

erlindemberg · ‎02-07-2020

My instances are separate search / indexer / heavy.

nickhills · ‎02-07-2020

So where do you see the error?
When Searching from the SH?

If my comment helps, please give it a thumbs up!

Could not load lookup = lookup_table Indexer Instance

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?