Hi,
I ran into the exact same issue, and i managed to solve it.
Try to run the following command:
./opt/splunk/bin/splunk btool props list --debug | grep LOOKUP-eventcode
You should see something like:
/opt/splunk/etc/apps/Threathunting/default/props.conf LOOKUP-eventcode = eventcode Eventcode OUTPUTNEW event_description
/opt/splunk/etc/app/TA-microsoft-sysmon/default/props.conf LOOKUP-eventcode = [...]
Those two duplicates lines is what's causing this error.
You can comment the line "LOOKUP-eventcode = eventcode EventCode OUTPUTNEW EventDescription EventDescription AS signature" in the /opt/splunk/etc/app/TA-microsoft-sysmon/default/props.conf.
After a quick refresh of your Threathunting dashboard, your issue should be gone.
... View more