Re: Splunk Add-on for Cisco ASA

vmicovic2 · ‎09-25-2019

hi, after installing this plugin, i have errors on every search, realted to cisco or not...
Always see this errors:
Could not load lookup=LOOKUP-cisco-asa-action_lookup
Could not load lookup=LOOKUP-cisco-pix-action_lookup
Could not load lookup=LOOKUP-cisco_fwsm_action_lookup

i see this search is located in /opt/splunk/etc/apps/Splunk_TA_cisco-asa/default/props.conf but not sure what need to change to fix this?

thank you.

vmicovic2 · ‎09-26-2019

nothing changed. Cannot understand what i need to do in lookup definitions?
all seems fine by me 😄
i found post with similar case, but don`t understand what he changed: https://answers.splunk.com/answers/774032/splunk-add-on-for-cisco-asa.html

broberg · ‎09-25-2019

This is a permission error in some way.
Sometime it is becuase a user have shared something globally.

When an app have the error it is often that it is not shared globally or not shared to the correct users, or from the wrong app.

Apps -> Manage Apps -> Sharing -> Permission

It can also be a good idee to search for the lookup yourself from other apps or the same and see if it will give you some hints)
Settings -> Lookups -> Lookup Definitions and search for the reported lookup. There you will see the name of the lookup file being used and the app which should own it. Create/replace the lookup file with the same name in that app

vmicovic2 · ‎09-25-2019

hi, i added to everyone write permission but it is the same, still get errors... 😕

broberg · ‎09-26-2019

What happens when you search for the lookup from an other app, or the same?

Go to Settings -> Lookups -> Lookup Definitions and search for the reported lookup. There you will see the name of the lookup file being used and the app which should own it. Create/replace the lookup file with the same name in that app and the error will go away (its worth a test)

And try change the permission on the other way so they are not shared globally only in app, but everyone can read them.

broberg · ‎09-25-2019

How about read permission? And is it shared globally and not just in app?

vmicovic2 · ‎09-26-2019

i think this is ok?

broberg · ‎09-26-2019

Yes, that is correct.

vmicovic2 · ‎09-26-2019

and? 🙂
what can i do next?

do you have this addon?

broberg · ‎09-26-2019

I updated my answer.
I have the app shared globally with everyone read and admin to write.
It maybe some local config errors on the lookup so try if you can use them urself.

vmicovic2 · ‎10-07-2019

seems it is not issue with rights ...

RCA · ‎03-21-2024

Check your local.meta file at the following path:

/opt/splunk/etc/apps/Splunk_TA_cisco-asa/metadata

and look for this stanza

[lookups]
access = read : [  power, sc_admin ],
write : [ ess_analyst, power, sc_admin ]
export = system
version = 9.1.2308.201
modtime = 1710775209.916764000

then add the role to the access like so:

access = read : [  user ,power, sc_admin ]

If this answer helped, let me know.

Splunk Add-on for Cisco ASA

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?