Found this thread, as I am facing an issue with Tripwire, on splunk. It is generating this humongous file ( te_assets.csv ) approximately 26 GB within an hour. Due to this the splunk service stops as in the Search Head there is only a single partition.
Seems like Tripwire keeps updating splunk lookup with a fresh copy of assets data. Is there a way to limit the generated lookup file on Splunk? Or any config changes to be done from Tripwire Side?
The error you’re seeing is because the lookup table asset_info doesn’t exist on the splunk system that you’re using to view your dashboards. This lookup table would appear as te_assets.csv in TA_tripwire_enterprise/lookups.
The TA will automatically retrieve asset data from TE and write te_assets.csv out to disk if you enable the input on that splunk instance. To do that you can enable the “$SPLUNK_HOME/etc/apps/TA_tripwire_enterprise/bin/te_assets.py” Script input from the Settings -> Data Inputs -> Scripts section of the UI.
Alternatively you can add “disabled = 0” to TA_tripwire_enterprise/local/inputs.conf underneath the [script://$SPLUNK_HOME/etc/apps/TA_tripwire_enterprise/bin/te_assets.py] section and restart splunk.
Once TA_tripwire_enterprise/lookups/te_assets.csv exists, the error you’re seeing should go away.