Splunk Enterprise Security

Splunk ES 6.1.1 asset_lookup_by_cidr not populated

kwasielewski
Path Finder

We are validating our Splunk 6.1.1 ES installation and have noticed the "asset_lookup_by_cidr" kvstore based lookup data is not being populated.  Looks like ES 6.1.1 now runs a python script module in a input process to extract the data from our assets file then into the kvstore for further processing.  It's not working and i am struggling to figure out how to troubleshoot the the python modular approach to this extraction. 

Any idea where I can look for issues?  Here are some of the items I have already checked.

1.  Our asset data does include the ip field with entries containing subnet masks.  Like 127.0.0.1/32 .

2. Running the original 5.x correlation query which used to populate the "asset_lookup_by_cidr" table produces results.  This leads me to believe the data is in good shape.

3. A review of the _internal logs is not showing any python scripting errors from the modules that I have noticed.

Thank you,

Ken

 

 

Tags (1)
0 Karma
1 Solution

jwelch_splunk
Splunk Employee
Splunk Employee

/32 will not help you here because we interpret that as one (1) ip address.... Something like 127.0.0.0/8 would work here.

 

If you have other data in your source files that is something other than a /32 or a format in the following:

https://docs.splunk.com/Documentation/ES/6.2.0/Admin/Formatassetoridentitylist#Asset_lookup_fields

Look at the IP field example.

 

Then you might be having an issue.  I would suggest you start with the identity_manager.log to see what is going on here.  If you have more information please provide it and I will try and help you out.

 

Okie

View solution in original post

jwelch_splunk
Splunk Employee
Splunk Employee

/32 will not help you here because we interpret that as one (1) ip address.... Something like 127.0.0.0/8 would work here.

 

If you have other data in your source files that is something other than a /32 or a format in the following:

https://docs.splunk.com/Documentation/ES/6.2.0/Admin/Formatassetoridentitylist#Asset_lookup_fields

Look at the IP field example.

 

Then you might be having an issue.  I would suggest you start with the identity_manager.log to see what is going on here.  If you have more information please provide it and I will try and help you out.

 

Okie

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...