All Apps and Add-ons

Cisco Security Suite Setup Errors - Encountered the following error while trying to update: In handler "localapps': Error while posting to url....


Has anyone encountered this error and know the fix? I have the latest build of Splunk, added the Cisco ASA, ESA and SourceFire add on apps and the main Cisco Security Suite prompts me to go through a setup... I check these 3 packages and I get this error in a red bar:

Encountered the following error while trying to update: In handler 'localapps': Error while posting to url=/servicesNS/nobody/Splunk_CiscoSecuritySuite/css_setup/css_setup_endpoint/default

Tags (1)

New Member

I am having the same issue.
Did anyone found a woraround?

0 Karma


Is this a Windows install by any chance? I encountered this on two Splunk 6.2.3 windows servers. I doubt it happens on NIX.

0 Karma

Splunk Employee
Splunk Employee

I tried (unsuccessfully) to repro using latest (& clean) Splunk (6.2.2), ASA, ESA, and SourceFire

Still, you may be able to workaroudn the issue by updating 3 files manually...

Create $SPLUNK_HOME/etc/apps/Splunk_CiscoSecuritySuite/local/app.conf

is_configured = 1

Create $SPLUNK_HOME/etc/apps/Splunk_CiscoSecuritySuite/local/css_views.conf

asa = 1
csf = 1
esa = 1

Create $SPLUNK_HOME/etc/apps/Splunk_CiscoSecuritySuite/local/data/ui/nav/default.xml

<nav color="#29688A">
    <collection label="Splunk for Cisco Security">
        <view default="true" name="cisco_security_overview" />
        <view name="search_ip_profile" />
        <view name="user_tracking" />
        <view name="search" />
        <divider />
        <collection label="Searches &amp; Reports">
            <saved source="unclassified" view="search" />
        <collection label="Dashboards">
            <view source="unclassified" />

    <collection label="Email Security">
        <view name="esa_overview" />
        <divider />
        <view name="esa_performance" />
        <view name="esa_search" />
        <divider />
        <collection label="Email Searches &amp; Reports">
            <saved match="Cisco ESA" source="all" view="search" />

    <collection label="Network Security">
        <view name="asa_overview" />
        <view name="asa_search" />
        <divider />
        <collection label="Sourcefire IPS IDS">
            <view name="sourcefire_estreamer_summary" />
            <divider />
            <view name="sourcefire_sensor_summary" />
            <view name="sourcefire_policy_summary" />
            <view name="sourcefire_host_summary" />
            <view name="sourcefire_flow_summary" />
            <divider />
            <view name="sourcefire_ids_event_summary" />
            <view name="sourcefire_file_event_summary" />
            <view name="sourcefire_correlation_summary" />

        <divider />
        <divider />
        <collection label="Firewall Searches &amp; Reports">
            <saved match="Cisco ASA" source="all" view="search" />
        <collection label="IPS Searches &amp; Reports">
            <saved match="Cisco IPS" source="all" view="search" />

    <collection label="Help">
        <view name="getting_started" />
        <collection label="Documentation">
            <view name="upgrading" />
            <a href="">Cisco ASA Configuration</a>
            <a href="">Cisco WSA Configuration</a>
            <a href="">Cisco ESA Configuration</a>
            <a href="">Cisco ISE Configuration</a>
            <a href="">Cisco IPS Configuration</a>
            <view name="sourcefire_documentation" />
        <a href="/manager/Splunk_CiscoSecuritySuite/apps/local/Splunk_CiscoSecuritySuite/setup?action=edit&amp;redirect_override=/app/Splunk_CiscoSecuritySuite/cisco_security_overview">Setup</a>

...and the restart Splunk.

Tags (1)


Great Thanks

0 Karma


Great stuff thanks !

0 Karma

New Member

Hi, I'm also getting the error "In handler 'localapps': Error while posting to url=/servicesNS/nobody/Splunk_CiscoSecuritySuite/css_setup/css_setup_endpoint/default" (Splunk 6.2.2, CSS 3.1.1).

I only want to enable ASA and IPS so would I need a different default.xml to the one above?

0 Karma


If you can't live with the default navigation menu, Just remove the collections for:

  • Sourcefire IPS IDS
  • Email Security

By the way you will need the Splunk Add-on for Cisco ESA installed on your search head to get rid of an annoying message about some eventtypes not found even if you don't use ESA.

0 Karma

New Member

Thanks, I added the XML as is, and might change it later.

I am getting other error messages when searching;
The lookup table 'cisco_action_lookup' does not exist. It is referenced by configuration 'cisco:asa'.

The lookup table 'cisco_action_lookup' does not exist. It is referenced by configuration 'cisco:fwsm'.

The lookup table 'cisco_action_lookup' does not exist. It is referenced by configuration 'cisco:pix'.

The lookup table 'cisco_asa_change_analysis_lookup' does not exist. It is referenced by configuration 'cisco:asa'.

The lookup table 'cisco_asa_ids_lookup' does not exist. It is referenced by configuration 'cisco:asa'.

The lookup table 'cisco_asa_ids_lookup' does not exist. It is referenced by configuration 'cisco:pix'.

The lookup table 'cisco_asa_intrusion_severity_lookup' does not exist. It is referenced by configuration 'cisco:asa'.

The lookup table 'cisco_asa_intrusion_severity_lookup' does not exist. It is referenced by configuration 'cisco:fwsm'.

The lookup table 'cisco_asa_intrusion_severity_lookup' does not exist. It is referenced by configuration 'cisco:pix'.

The lookup table 'cisco_asa_syslog_severity_lookup' does not exist. It is referenced by configuration 'cisco:asa'.

The lookup table 'cisco_asa_vendor_class_lookup' does not exist. It is referenced by configuration 'cisco:asa'.

The lookup table 'cisco_ips_vendor_info_lookup' does not exist. It is referenced by configuration 'cisco:ips:syslog'.

Any idea what's going wrong here?

0 Karma


Hmpf try changing the css_views.conf file and set the parts you don't need to 0. Otherwise you may have to add all the add-ons 😕

0 Karma

New Member

I changed the css_views.conf to asa = 1, ips = 1, csf = 0, esa = 0, wsa = 0, ise = 0 but still get the errors. I added the remaining add-ons so current versions are;
Splunk_CiscoSecuritySuite 3.1.1
Splunk_TA_cisco-asa 3.2.3
Splunk_TA_cisco-esa 1.2.0
Splunk_TA_cisco-ips 2.1.4
Splunk_TA_cisco-wsa 3.2.1
Splunk_TA_sourcefire 3.3.0

If I disable Splunk_TA_cisco-asa most of the errors go away, but I guess it needs to be enabled?

0 Karma

Splunk Employee
Splunk Employee

I'm not able to re-produce this on my system. Can you provide the link to the SourceFire add-on you're using? There are 2 different options presently available, maybe we're using different ones.

0 Karma


I am using this add on app for SourceFire:, but I get this on trying to only enable the ASA or ESA add-on and this is a clean install. Odd, that I can install the apps, but the setup produces this error out of the box. Frustrating... 😞

0 Karma


@csimms This might be a silly question, but did you restart splunkd after installation? I installed a fresh copy this morning and although I didn't read the errors I did have the similar red bar. In my instance it is because the application requires a splunkd restart.

0 Karma


Yes I restarted splunk. I'll reach out to splunk support for assistance, we have a paid enterprise level, I assume they can help?

0 Karma


I can't find the app.conf file you mention below in that directory.

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...