Network Resolution (DNS) - Could not construct loo...

lznger88_2 · ‎04-11-2021

Hi All,

I have recently ingested Cisco Umbrella logs into Splunk Cloud (8.1.2) and everything seems to be working fine, expect for the Network Resolution DNS data model. When I try to accelerate the model or pivot, I obtain the following errrors:

1) The search job has failed due to an error. You may be able view the job in the job inspector

2) Error in 'lookup' command: Could not construct lookup 'cim_dns_reply_code_lookup, reply_code_id, AS, reply_code_id, OUTPUT, reply_code, AS, reply_code'. See search.log for more details.

3) Cannot expand lookup field 'action' due to a reference cycle in the lookup configuration. Rewrite the lookup configuration to remove the reference cycle.

I reviewed the search.log but don't see anything related to causing the issue. Has anyone experienced or solved this before?

Cheers

jamesdsteel · ‎06-30-2022

Just encountered the same error.

Fixed by downloading the CIM app from Splunkbase and extracting the cim_dns_reply_codes2.csv.default file (from Splunk_SA_CIM/lookups/) , saving it as cim_dns_reply_codes2.csv and then uploading it back to the CIM app on our instance.

For some reason the CSV is there in the app as cim_dns_reply_codes2.csv.default which Splunk doesn't seem to recognise as a valid CSV.

Rebuilding the Network_Resolution data model and seems to be working now.

Network Resolution (DNS) - Could not construct lookups- How to resolve errors?

other

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk