lookup_conversion: A lookup table could not be created (key: tld, tempfile: /opt/splunk/var/run/splunk/lookup_tmp/lookup_conXXXXX.txt)
I see this error intermittently in a Splunk 6 environment with Clustering enabled, and Enterprise security on one search head. Wondering if this is a result of manual system restarts (during configuration) or something more is going on.
On a Windows search head, the asset and identity center shows no results. Error messages will be displayed on the search head about missing lookup files. The python_modular_inputs.log reports errors:
ERROR pid=4040 tid=asset file=writers.py:_move_lookup:108 | FAILURE: Temporary output file was not created: C:Program FilesSplunkvarrunsplunklookup_tmplookup_conv6jppog.txt
ERROR pid=4040 tid=asset file=writers.py:move_lookups:156 | FAILURE: A lookup table could not be created: (key: cidr, tempfile: C:Program FilesSplunkvarrunsplunklookup_tmplookup_conv6jppog.txt)
The asset and identity lookup creation and expansion process is not working correctly due to an issue with a python script on Windows. Please contact Splunk Support for a replacement script and reference SOLNESS-4642. (SOLNESS-4642)
Once the script is obtained, follow the instructions below:
1. Replace the writers.py script in $SPLUNK_HOMEetcappsSA-UtilslibSolnCommonlookup_conversion
2. Make sure all the .csv's in SA-IdentityManagementlookups are there, and if not create a new copy from the .csv.default files.
3. Delete all the contents under $SPLUNK_HOMEvarlibsplunkmodinputsidentity_manager
4. Restart Splunk Enterprise