Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

[ES Managed Lookup] error: "An error occurred" in popup window when clicking "Stop managing"

sylim_splunk
Splunk Employee
Splunk Employee
‎09-04-2019 11:35 AM

alt textWhen creating a managed lookup and the destination app is chosen to be a custom app we made (that ES inherits), it creates problems. We are using ES 5.1.1.

First if you try to “Stop Managing” the lookup it gives the error “An error occurred”
If you try to “Edit configuration” it gives the error “A managed lookup with the given name ‘lookup:….’ could not be found”
Pretty much we are unable to manage the managed lookup. (Note neither the lookup file or the lookup definition are modified before trying to perform these actions).
If we create a managed lookup in the Enterprise Security app we do not have any of these issues. The steps we followed :

  1. Go to Apps -> Manage Apps -> Click Create app (template barebones)
  2. Open Enterprise Security App -> Configure -> General -> App Imports Update
  3. Add the new app name to the Application Regular Expression for all 3 entries (update_es,update_es_da, update_es_main)
  4. Restart search head
  5. Open Enterprise Security App -> Configure -> Content Management -> Create New Content -> Managed Lookup

5.a. Under Create New tab, browse to a test lookup (test_lookup.csv)
5.b. App: The newly created app
5.c. Destination File Name: test_lookup.csv
5.d. Definition Name: test_lookup
5.e. Lookup Type: Manually edited
5.f. Label: test_lookup
5.g. Allow Lookup Editing: checked
5.h. Description: test
5.i. Click save

6.Find test_lookup in the Content Management section in Enterprise Security
6.a. Click Stop managing
6.b. Confirm box pops up -> select Ok
6.c. Get error in the same pop up box saying “An error occurred”

Preview file
1 KB
Reply
1 Solution
Solved! Jump to solution
Solution

sylim_splunk
Splunk Employee
Splunk Employee
‎09-04-2019 11:56 AM

It was caused by the 404 error captured in red on the bottom of the screen, which tells us not able to find the lookup file you used during the test.

It happens as the new app that was created doesn't allow system access to its objects. The error message is a bit misleading or not accurate enough for you to take any remediation actions. You can fix it by exporting the newly created app you used in the step #5.b, such as

in metadata/local.meta,

[]
export=system

Or
[managed_configurations/lookup%3ALOOKUPName]
export = system

View solution in original post

Reply
Solved! Jump to solution
Solution

sylim_splunk
Splunk Employee
Splunk Employee
‎09-04-2019 11:56 AM

It was caused by the 404 error captured in red on the bottom of the screen, which tells us not able to find the lookup file you used during the test.

It happens as the new app that was created doesn't allow system access to its objects. The error message is a bit misleading or not accurate enough for you to take any remediation actions. You can fix it by exporting the newly created app you used in the step #5.b, such as

in metadata/local.meta,

[]
export=system

Or
[managed_configurations/lookup%3ALOOKUPName]
export = system

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...