We are validating our Splunk 6.1.1 ES installation and have noticed the "asset_lookup_by_cidr" kvstore based lookup data is not being populated. Looks like ES 6.1.1 now runs a python script module in a input process to extract the data from our assets file then into the kvstore for further processing. It's not working and i am struggling to figure out how to troubleshoot the the python modular approach to this extraction.
Any idea where I can look for issues? Here are some of the items I have already checked.
1. Our asset data does include the ip field with entries containing subnet masks. Like 127.0.0.1/32 .
2. Running the original 5.x correlation query which used to populate the "asset_lookup_by_cidr" table produces results. This leads me to believe the data is in good shape.
3. A review of the _internal logs is not showing any python scripting errors from the modules that I have noticed.