All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

the question about Tripwire Enterprise App for Splunk Enterprise

xsstest
Communicator
‎07-13-2017 01:42 AM

tripwire-enterprise-add-on-for-splunk APP After installation is complete, prompts the error when searching: 

The lookup table 'asset_info' does not exist.It is referenced by configuration 'te_fim_scv
The lookup table 'asset_info' does not exist.It is referenced by configuration 'te_scm_scv

." So I executed the script te_assets.py In the directory / TA_tripwire_enterprise / lookups /. Also prompted the error:

 ImportError: No module named splunk.clilib.

Where does the splunk.clilib module come from? can I download it from which link?

Reply

msocops
Loves-to-Learn
‎12-15-2020 11:25 PM

Hi Jim,

 

Found this thread, as I am facing an issue with Tripwire, on splunk. It is generating this humongous file ( te_assets.csv ) approximately 26 GB within an hour. Due to this the splunk service stops as in the Search Head there is only a single partition.

Seems like Tripwire keeps updating splunk lookup with a fresh copy of assets data. Is there a way to limit the generated lookup file on Splunk? Or any config changes to be done from Tripwire Side?

Your help/feedback is highly appreciated.

 

0 Karma
Reply

JimWachhaus
Path Finder
‎10-05-2017 12:51 PM

The error you’re seeing is because the lookup table asset_info doesn’t exist on the splunk system that you’re using to view your dashboards. This lookup table would appear as te_assets.csv in TA_tripwire_enterprise/lookups.

The TA will automatically retrieve asset data from TE and write te_assets.csv out to disk if you enable the input on that splunk instance. To do that you can enable the “$SPLUNK_HOME/etc/apps/TA_tripwire_enterprise/bin/te_assets.py” Script input from the Settings -> Data Inputs -> Scripts section of the UI.

Alternatively you can add “disabled = 0” to TA_tripwire_enterprise/local/inputs.conf underneath the [script://$SPLUNK_HOME/etc/apps/TA_tripwire_enterprise/bin/te_assets.py] section and restart splunk.

Once TA_tripwire_enterprise/lookups/te_assets.csv exists, the error you’re seeing should go away.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...