Getting Data In

Network Resolution (DNS) - Could not construct lookups- How to resolve errors?

lznger88_2
Path Finder

Hi All,

I have recently ingested Cisco Umbrella logs into Splunk Cloud (8.1.2) and everything seems to be working fine, expect for the Network Resolution DNS data model. When I try to accelerate the model or pivot, I obtain the following errrors:

1) The search job has failed due to an error. You may be able view the job in the job inspector
 
 
2) Error in 'lookup' command: Could not construct lookup 'cim_dns_reply_code_lookup, reply_code_id, AS, reply_code_id, OUTPUT, reply_code, AS, reply_code'. See search.log for more details.
 
3) Cannot expand lookup field 'action' due to a reference cycle in the lookup configuration. Rewrite the lookup configuration to remove the reference cycle.

 

I reviewed the search.log but don't see anything related to causing the issue. Has anyone experienced or solved this before?

Cheers

Labels (1)
0 Karma

jamesdsteel
Explorer

Just encountered the same error.

Fixed by downloading the CIM app from Splunkbase and extracting the cim_dns_reply_codes2.csv.default file (from Splunk_SA_CIM/lookups/) , saving it as cim_dns_reply_codes2.csv and then uploading it back to the CIM app on our instance.

For some reason the CSV is there in the app as cim_dns_reply_codes2.csv.default which Splunk doesn't seem to recognise as a valid CSV.

Rebuilding the Network_Resolution data model and seems to be working now.

0 Karma
Get Updates on the Splunk Community!

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...