Splunk Enterprise Security

[ES Managed Lookup] error: "An error occurred" in popup window when clicking "Stop managing"

sylim_splunk
Splunk Employee
Splunk Employee

alt textWhen creating a managed lookup and the destination app is chosen to be a custom app we made (that ES inherits), it creates problems. We are using ES 5.1.1.

First if you try to “Stop Managing” the lookup it gives the error “An error occurred”
If you try to “Edit configuration” it gives the error “A managed lookup with the given name ‘lookup:….’ could not be found”
Pretty much we are unable to manage the managed lookup. (Note neither the lookup file or the lookup definition are modified before trying to perform these actions).
If we create a managed lookup in the Enterprise Security app we do not have any of these issues. The steps we followed :

  1. Go to Apps -> Manage Apps -> Click Create app (template barebones)
  2. Open Enterprise Security App -> Configure -> General -> App Imports Update
  3. Add the new app name to the Application Regular Expression for all 3 entries (update_es,update_es_da, update_es_main)
  4. Restart search head
  5. Open Enterprise Security App -> Configure -> Content Management -> Create New Content -> Managed Lookup

5.a. Under Create New tab, browse to a test lookup (test_lookup.csv)
5.b. App: The newly created app
5.c. Destination File Name: test_lookup.csv
5.d. Definition Name: test_lookup
5.e. Lookup Type: Manually edited
5.f. Label: test_lookup
5.g. Allow Lookup Editing: checked
5.h. Description: test
5.i. Click save

6.Find test_lookup in the Content Management section in Enterprise Security
6.a. Click Stop managing
6.b. Confirm box pops up -> select Ok
6.c. Get error in the same pop up box saying “An error occurred”

1 Solution

sylim_splunk
Splunk Employee
Splunk Employee

It was caused by the 404 error captured in red on the bottom of the screen, which tells us not able to find the lookup file you used during the test.

It happens as the new app that was created doesn't allow system access to its objects. The error message is a bit misleading or not accurate enough for you to take any remediation actions. You can fix it by exporting the newly created app you used in the step #5.b, such as

in metadata/local.meta,

[]
export=system

Or
[managed_configurations/lookup%3ALOOKUPName]
export = system

View solution in original post

sylim_splunk
Splunk Employee
Splunk Employee

It was caused by the 404 error captured in red on the bottom of the screen, which tells us not able to find the lookup file you used during the test.

It happens as the new app that was created doesn't allow system access to its objects. The error message is a bit misleading or not accurate enough for you to take any remediation actions. You can fix it by exporting the newly created app you used in the step #5.b, such as

in metadata/local.meta,

[]
export=system

Or
[managed_configurations/lookup%3ALOOKUPName]
export = system

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...