Splunk Enterprise Security

ES 6 fresh install - how to populate assets KV store

sbridge
Explorer

Hi there. I have used previous versions of ES, and am familiar with importing a CSV of my identities and assets. I just installed 6.0 (clean not upgrade), and loaded the assets and identities from CSV files. Everything works as expected, just like previous versions, and Asset Center shows all my machines correctly. However, every search now returns an error: "The 'asset_lookup_by_cidr' KV Store lookup table is empty or has not yet been replicated to the search peer". The documentation for ES does not seem to be updated for the new KV store lookups, or if it has I cannot locate the search to populate the KV from my "standard" assets file. Probably a simple fix, anyone know the generating search?

Thanks,
Steve

0 Karma
1 Solution

kchamplin_splun
Splunk Employee
Splunk Employee

This should be automatic - the source lookups (like the file you uploaded) should be automatically merged when a new file is added to the source lookups, or when those sources are modified. That said, we created a new "view" in ES to do all the management of the source lookups, it's called "ess_entity_management". Try to get to that page and ensure your lookups are showing up there, and configured for merge. That page has a tab in it called "Search Preview" that lets you force merge. The entire URI should look similar to the following (just prepend your info for your Splunk server and port):
/en-US/app/SplunkEnterpriseSecuritySuite/ess_entity_management

View solution in original post

kchamplin_splun
Splunk Employee
Splunk Employee

This should be automatic - the source lookups (like the file you uploaded) should be automatically merged when a new file is added to the source lookups, or when those sources are modified. That said, we created a new "view" in ES to do all the management of the source lookups, it's called "ess_entity_management". Try to get to that page and ensure your lookups are showing up there, and configured for merge. That page has a tab in it called "Search Preview" that lets you force merge. The entire URI should look similar to the following (just prepend your info for your Splunk server and port):
/en-US/app/SplunkEnterpriseSecuritySuite/ess_entity_management

lkutch_splunk
Splunk Employee
Splunk Employee
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...