0

Consultant

I am new to Splunk and uberAgent, so I apologise if my question is trivial. Searched for the issue first but can't get anything useful or obvious.

Fresh install of Splunk 6.3.3. Enterprise on CentOS 7 and uberAgent 3.6 on Windows 7 Pro 64-bit.

Each graph has a small red triangle, and the errors read:

======================

The following messages were returned by the search subsystem:

  • ERROR: Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'uberAgent:Application:ApplicationInventory' and lookup table 'lookup_hostinfo'.
  • ERROR: Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'uberAgent:Application:ApplicationUsage' and lookup table 'lookup_hostinfo'.
  • ERROR: Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'uberAgent:Application:BrowserPerformanceChrome' and lookup table 'lookup_hostinfo'.
  • ERROR: Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'uberAgent:Application:BrowserPerformanceIE' and lookup table 'lookup_hostinfo'.
  • ERROR: Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'uberAgent:Application:OutlookPluginLoad' and lookup table 'lookup_hostinfo'.
  • ERROR: Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'uberAgent:Application:SoftwareUpdateInventory' and lookup table 'lookup_hostinfo'.
  • ERROR: Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'uberAgent:Application:UIDelay' and lookup table 'lookup_hostinfo'.
  • ERROR: Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'uberAgent:License:LicenseInfo' and lookup table 'lookup_hostinfo'.
  • ERROR: Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'uberAgent:Logon:ADLogonScriptTimeMs' and lookup table 'lookup_hostinfo'.
  • ERROR: Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'uberAgent:Logon:GroupPolicyCSEDetail' and lookup table 'lookup_hostinfo'.
  • ERROR: Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'uberAgent:Logon:GroupPolicyLogonScriptTimeMs' and lookup table 'lookup_hostinfo'.
  • ERROR: Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'uberAgent:Logon:GroupPolicyProcessingTimes' and lookup table 'lookup_hostinfo'.
  • ERROR: Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'uberAgent:Logon:LogonPerformance' and lookup table 'lookup_hostinfo'.
  • ERROR: Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'uberAgent:Logon:ProfileLoadTimeMs' and lookup table 'lookup_hostinfo'.
  • ERROR: Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'uberAgent:Logon:SessionEnd' and lookup table 'lookup_hostinfo'.
  • ERROR: Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'uberAgent:Logon:SessionLogonTime' and lookup table 'lookup_hostinfo'.
  • ERROR: Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'uberAgent:Logon:ShellStartupTimeMs' and lookup table 'lookup_hostinfo'.
  • ERROR: Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'uberAgent:Logon:TotalLogonTimeMs' and lookup table 'lookup_hostinfo'.
  • ERROR: Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'uberAgent:OnOffTransition:BootDetail' and lookup table 'lookup_hostinfo'.
  • ERROR: Error 'Could not find all of the specified destination fields in the lookup table.' for conf 'uberAgent:OnOffTransition:BootIODetail' and lookup table 'lookup_hostinfo'.
  • ERROR: Info.csv being bloated by "lookup" log messages . Will not log additional errors. Refer search.log
  • ERROR: The limit has been reached for log messages in info.csv. 21 messages have not been written to info.csv. Please refer to search.log for these messages or limits.conf to configure this limit.

=========

Your assistance is needed and very much appreciated.

Thank you.

 

1 comment

  • Avatar
    Helge Klein Official comment

    Hi Zoltan,

    This happens because the default lookup table hostinfo.csv shipped with the uberAgent searchhead app was missing a field.

    To make the errors go away you can either:

    • Wait for approx. 1 hour after installing at least one uberAgent endpoint and the uberAgent Splunk apps. After that time the lookup table should have been rebuilt with uberAgent data from your machines.
    • Re-download uberAgent and replace the searchhead app with the (fixed) version from the download.
Please sign in to leave a comment.