Getting Data In

Splunk Add-on for Cisco ASA

vmicovic2
Explorer

hi, after installing this plugin, i have errors on every search, realted to cisco or not...
Always see this errors:
Could not load lookup=LOOKUP-cisco-asa-action_lookup
Could not load lookup=LOOKUP-cisco-pix-action_lookup
Could not load lookup=LOOKUP-cisco_fwsm_action_lookup

ss

i see this search is located in /opt/splunk/etc/apps/Splunk_TA_cisco-asa/default/props.conf but not sure what need to change to fix this?

thank you.

Tags (1)
0 Karma

vmicovic2
Explorer

nothing changed. Cannot understand what i need to do in lookup definitions?
all seems fine by me 😄
i found post with similar case, but don`t understand what he changed: https://answers.splunk.com/answers/774032/splunk-add-on-for-cisco-asa.html

0 Karma

broberg
Communicator

This is a permission error in some way.
Sometime it is becuase a user have shared something globally.

When an app have the error it is often that it is not shared globally or not shared to the correct users, or from the wrong app.

Apps -> Manage Apps -> Sharing -> Permission

It can also be a good idee to search for the lookup yourself from other apps or the same and see if it will give you some hints)
Settings -> Lookups -> Lookup Definitions and search for the reported lookup. There you will see the name of the lookup file being used and the app which should own it. Create/replace the lookup file with the same name in that app

vmicovic2
Explorer

hi, i added to everyone write permission but it is the same, still get errors... 😕

0 Karma

broberg
Communicator

What happens when you search for the lookup from an other app, or the same?

Go to Settings -> Lookups -> Lookup Definitions and search for the reported lookup. There you will see the name of the lookup file being used and the app which should own it. Create/replace the lookup file with the same name in that app and the error will go away (its worth a test)

And try change the permission on the other way so they are not shared globally only in app, but everyone can read them.

0 Karma

broberg
Communicator

How about read permission? And is it shared globally and not just in app?

0 Karma

vmicovic2
Explorer

i think this is ok?
ss

0 Karma

broberg
Communicator

Yes, that is correct.

0 Karma

vmicovic2
Explorer

and? 🙂
what can i do next?

do you have this addon?

0 Karma

broberg
Communicator

I updated my answer.
I have the app shared globally with everyone read and admin to write.
It maybe some local config errors on the lookup so try if you can use them urself.

0 Karma

vmicovic2
Explorer

seems it is not issue with rights ...

0 Karma

RCA
Splunk Employee
Splunk Employee

Check your local.meta file at the following path:

/opt/splunk/etc/apps/Splunk_TA_cisco-asa/metadata

and look for this stanza

[lookups]
access = read : [  power, sc_admin ],
write : [ ess_analyst, power, sc_admin ]
export = system
version = 9.1.2308.201
modtime = 1710775209.916764000



then add the role to the access like so:

access = read : [  user ,power, sc_admin ]




If this answer helped, let me know. 

Tags (2)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...