Splunk App for Anomaly Detection - "Could not load...

danielbb · ‎09-05-2023

In Step 2 "Add the Dataset" of "Create Anomaly Job" within the Splunk App for Anomaly Detection, when running the following SPL, we get the warning-

index=wineventlog_security
| timechart count

"Could not load lookup=LOOKUP-HTTP_STATUS No matching fields exist."

What can it be?

We use the following versions -

Splunk App for Anomaly Detection - 1.1.0

Python for Scientific Computing - 4.1.2

Splunk Machine Learning Toolkit - 5.4.0

kcurtis · ‎09-28-2023

Can you confirm whether your original search returns > 0 events by running it in the search bar on the "Search" tab in AnomalyApp (or in Search & Reporting)? This message may be shown because the search is returning 0 events. We expect to have a fix for this, so our error message is more informative, in our next patch release of AnomalyApp.

danielbb · ‎09-06-2023

@VatsalJaganiI looked in a couple of environments and I don't see it as automatic lookup. Any ideas?

VatsalJagani · ‎09-07-2023

@danielbb - What do you mean by a couple of environments? You need to check in the environment/SearchHead which is generating this error for you.

And there has to be automatic lookup. If you don't see it try to find it inside props.conf from the backend.

VatsalJagani · ‎09-05-2023

@danielbb - This automatic lookup could be present in any App.

You can try to find where it is present by going to Splunk UI > Lookups > Automatic lookups and select All App and Any Owner and filter for HTTP_STATUS and trying to find which App contains this lookup. You should be able to fix it from there as well.

I hope this helps!!!

Splunk App for Anomaly Detection - "Could not load lookup=LOOKUP-HTTP_STATUS No matching fields exist."

lookup

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!