Just applied latest version (1.4.4) and getting a lot of "Searches Delayed". When checking the reason why:
index=_internal component=SavedSplunker log_level!=INFO | stats count by app message
It's showing that in the last 24 hours 96 messages state:
"Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.". No actions executed".
I checked for hidden characters in the lookups, didn't find any. Not sure where it's breaking. Here are the _raw logs:
07-30-2020 16:30:56.199 +0000 ERROR SavedSplunker - savedsearch_id="nobody;ThreatHunting;[T1003] Credential Dumping ImageLoad", message="Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.". No actions executed
07-30-2020 16:30:56.203 +0000 ERROR SavedSplunker - savedsearch_id="nobody;ThreatHunting;[T1073] DLL Side-Loading - WMI", message="Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.". No actions executed
07-30-2020 12:30:29.267 +0000 ERROR SavedSplunker - savedsearch_id="nobody;ThreatHunting;[T1071] Standard Application Layer Protocol", message="Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.". No actions executed
07-30-2020 16:00:59.816 +0000 ERROR SavedSplunker - savedsearch_id="nobody;ThreatHunting;[T1073] DLL Side-Loading - WMI", message="Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.". No actions executed
07-30-2020 16:00:59.818 +0000 ERROR SavedSplunker - savedsearch_id="nobody;ThreatHunting;[T1044] File System Permissions Weakness", message="Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.". No actions executed
07-30-2020 15:46:04.247 +0000 ERROR SavedSplunker - savedsearch_id="nobody;ThreatHunting;[T1003] Credential Dumping ImageLoad", message="Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.". No actions executed 07-30-2020 15:46:04.250 +0000 ERROR SavedSplunker - savedsearch_id="nobody;ThreatHunting;[T1073] DLL Side-Loading - PowerShell", message="Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.". No actions executed
07-30-2020 17:30:42.921 +0000 ERROR SavedSplunker - savedsearch_id="nobody;ThreatHunting;[T1003] Credential Dumping ImageLoad", message="Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.". No actions executed
Just applied latest version (1.4.4) and getting a lot of "Searches Delayed". When checking the reason why:
It's showing that in the last 24 hours 96 messages state:
I checked for hidden characters in the lookups, didn't find any. Not sure where it's breaking. Here are the _raw logs: