Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is the assets_by_cidr.csv lookup file not populating during asset merge?

panovattack
Communicator
‎10-26-2016 01:50 PM

During searches in Enterprise Security, I get the following error: 

Empty csv lookup file (contains only a header) for table 'asset_lookup_by_cidr': /opt/splunk/var/run/searchpeers/{hostname}-1477514321/apps/SA-IdentityManagement/lookups/assets_by_cidr.csv

We recently updated our asset information from Active Directory and our network data. When we look at the assets_by_cidr.csv lookup file, it is not populating after a merge.

Reply
1 Solution
Solved! Jump to solution
Solution

panovattack
Communicator
‎02-26-2017 04:33 PM

I had no CIDR entries...fixed.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

panovattack
Communicator
‎02-26-2017 04:33 PM

I had no CIDR entries...fixed.

0 Karma
Reply
Solved! Jump to solution

hatalla
Path Finder
‎02-27-2018 08:25 AM

Hey Panovattack,

It looks to me that the expandiprange.py Python script that is called to populate the assets_by_cidr.csv lookup requires that the IP field in | asset_sources to be either an IP range (as in 10.250.20.01-10.250.20.255 ) or in CIDR notation (e.g. 10.0.0.0/8) if it is just an IP the lookup just doesn't populate because one of the macros regex down the | line filters on IPs in CIDR notations.

So how did you get those CIDR entries in the IP or how did you populate the assets_by_cidr.csv lookup?

Thanks.

Reply
Solved! Jump to solution

panovattack
Communicator
‎11-04-2016 06:10 AM

This was resolved. No data actually had a CIDR block designation, we made the correction and everything started working.

Reply
Solved! Jump to solution

khalidewaidah
Explorer
‎08-10-2020 07:31 AM

Hi , Could you let me know how do you solve it

0 Karma
Reply
Solved! Jump to solution

riqbal47010
Path Finder
‎02-10-2020 03:34 AM

can you please share the steps

0 Karma
Reply
Solved! Jump to solution

pcarlow_splunk
Splunk Employee
Splunk Employee
‎04-24-2020 10:04 AM

In ES 6.0 assets_by_cidr.csv lookup was migrated to asset_lookup_by_cidr kvstore lookup.

You can populate the KV store table with a dummy entry to remove the message.

Navigate to ES App > Configure > Data Enrichment > Asset and Identity Management
(/en-US/app/SplunkEnterpriseSecuritySuite/ess_entity_management)

On the Asset Lookup Configuration tab, ensure static_assets Status is set to Enable. If not, click the Enable link.

Click the Source simple_asset_lookup and the editor will open in a new window.
Type in 192.168.0.1/30 to the "ip" field and save it.

Reply
Solved! Jump to solution

smoir_splunk
Splunk Employee
Splunk Employee
‎10-26-2016 02:12 PM

What version of ES do you have? If 4.5, check to make sure that the corresponding saved search is running.
http://docs.splunk.com/Documentation/ES/4.5.0/User/AssetandIdentityMerging

0 Karma
Reply
Solved! Jump to solution

panovattack
Communicator
‎10-27-2016 07:58 AM

Does anyone have a list of the fields that should be in that lookup? (assets_by_cidr.csv)

Reply
Solved! Jump to solution

panovattack
Communicator
‎10-26-2016 02:48 PM

I just did another merge and I see:

index=_internal source=*python_modular_input.log (asset OR identity)

Result:
2016-10-26 16:45:10,570 INFO pid=3702 tid=asset file=lookup_modinput.py:streaming_merge_task:310 | status="Lookup table updated" target="asset_lookup_by_cidr" file="/opt/splunk/var/run/splunk/lookup_tmp/lookup_convaowpMV.txt"

However, "| inputlookup asset_lookup_by_cidr" still returns no results.

0 Karma
Reply
Solved! Jump to solution

nnmiller
Contributor
‎10-27-2016 10:47 AM

Look for index=_internal sourcetype=splunkd or source=*python_modular* ERROR over the last hour or so (it runs every 5 minutes). If they aren't merging it generally means the process is erroring out on an entry in one of the CSVs being merged--header issue, problem with field contents of a line, etc.

It will be an iterative process, as the merge process bails after the first error.

0 Karma
Reply
Solved! Jump to solution

smoir_splunk
Splunk Employee
Splunk Employee
‎10-26-2016 03:09 PM

If you review the asset_lookup_by_cidr in the lists and lookups view in the UI, does it show content there?

0 Karma
Reply
Solved! Jump to solution

panovattack
Communicator
‎10-26-2016 03:32 PM

No, I see no data.

0 Karma
Reply
Solved! Jump to solution

panovattack
Communicator
‎10-26-2016 02:19 PM

4.1.1, we have tried a forced merge. Also when we search index=_internal source=*python_modular_input.log (asset OR identity) we get:

2016-10-26 16:13:41,322 INFO pid=3406 tid=MainThread file=lookup_modinput.py:collect_files:130 | status="Lookup table file found" name=asset_list category=asset path=/opt/splunk/etc/apps/SA-IdentityManagement/lookups/asset_list.csv size=##### last_updated=########

I removed the actual numbers with #'s.

I can manually search and validate the lookup file exists at that location.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...