Splunk Enterprise Security

Why is the assets_by_cidr.csv lookup file not populating during asset merge?

panovattack
Communicator

During searches in Enterprise Security, I get the following error:

Empty csv lookup file (contains only a header) for table 'asset_lookup_by_cidr': /opt/splunk/var/run/searchpeers/{hostname}-1477514321/apps/SA-IdentityManagement/lookups/assets_by_cidr.csv

We recently updated our asset information from Active Directory and our network data. When we look at the assets_by_cidr.csv lookup file, it is not populating after a merge.

1 Solution

panovattack
Communicator

I had no CIDR entries...fixed.

View solution in original post

0 Karma

panovattack
Communicator

I had no CIDR entries...fixed.

View solution in original post

0 Karma

hatalla
Path Finder

Hey Panovattack,

It looks to me that the expandiprange.py Python script that is called to populate the assets_by_cidr.csv lookup requires that the IP field in | asset_sources to be either an IP range (as in 10.250.20.01-10.250.20.255 ) or in CIDR notation (e.g. 10.0.0.0/8) if it is just an IP the lookup just doesn't populate because one of the macros regex down the | line filters on IPs in CIDR notations.

So how did you get those CIDR entries in the IP or how did you populate the assets_by_cidr.csv lookup?

Thanks.

panovattack
Communicator

This was resolved. No data actually had a CIDR block designation, we made the correction and everything started working.

khalidewaidah
Explorer

Hi , Could you let me know how do you solve it

0 Karma

riqbal47010
Path Finder

can you please share the steps

0 Karma

pcarlow_splunk
Splunk Employee
Splunk Employee

In ES 6.0 assets_by_cidr.csv lookup was migrated to asset_lookup_by_cidr kvstore lookup.

You can populate the KV store table with a dummy entry to remove the message.

Navigate to ES App > Configure > Data Enrichment > Asset and Identity Management
(/en-US/app/SplunkEnterpriseSecuritySuite/ess_entity_management)

On the Asset Lookup Configuration tab, ensure static_assets Status is set to Enable. If not, click the Enable link.

Click the Source simple_asset_lookup and the editor will open in a new window.
Type in 192.168.0.1/30 to the "ip" field and save it.

smoir_splunk
Splunk Employee
Splunk Employee

What version of ES do you have? If 4.5, check to make sure that the corresponding saved search is running.
http://docs.splunk.com/Documentation/ES/4.5.0/User/AssetandIdentityMerging

0 Karma

panovattack
Communicator

Does anyone have a list of the fields that should be in that lookup? (assets_by_cidr.csv)

panovattack
Communicator

I just did another merge and I see:

index=_internal source=*python_modular_input.log (asset OR identity)

Result:
2016-10-26 16:45:10,570 INFO pid=3702 tid=asset file=lookup_modinput.py:streaming_merge_task:310 | status="Lookup table updated" target="asset_lookup_by_cidr" file="/opt/splunk/var/run/splunk/lookup_tmp/lookup_convaowpMV.txt"

However, "| inputlookup asset_lookup_by_cidr" still returns no results.

0 Karma

nnmiller
Contributor

Look for index=_internal sourcetype=splunkd or source=*python_modular* ERROR over the last hour or so (it runs every 5 minutes). If they aren't merging it generally means the process is erroring out on an entry in one of the CSVs being merged--header issue, problem with field contents of a line, etc.

It will be an iterative process, as the merge process bails after the first error.

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

If you review the asset_lookup_by_cidr in the lists and lookups view in the UI, does it show content there?

0 Karma

panovattack
Communicator

No, I see no data.

0 Karma

panovattack
Communicator

4.1.1, we have tried a forced merge. Also when we search index=_internal source=*python_modular_input.log (asset OR identity) we get:

2016-10-26 16:13:41,322 INFO pid=3406 tid=MainThread file=lookup_modinput.py:collect_files:130 | status="Lookup table file found" name=asset_list category=asset path=/opt/splunk/etc/apps/SA-IdentityManagement/lookups/asset_list.csv size=##### last_updated=########

I removed the actual numbers with #'s.

I can manually search and validate the lookup file exists at that location.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!