Splunk Enterprise

Why are dvc fields (e.g dvc_city) not populating/ possible error with Lookup_Editor app/ lookup file?

TamishaJ
Engager

I am working with ES and the DVC_city filed is not populating which is derived from a lookup table file.

We have: checked the file, ensured the .csv format is correct etc, removed the fields for that particular data set and readded. 

We added the data via the Lookup_editor. Upon troubleshooting, we received errors when we ran the following search: index=_internal (sourcetype=lookup_editor_rest_handler OR sourcetype=lookup_backups_rest_handler) INFO OR WARNING OR ERROR OR CRITICAL | rex field=_raw "(?<severity>(DEBUG)|(ERROR)|(WARNING)|(INFO)|(CRITICAL)) (?<message>.*)" | fillnull severity value="UNDEFINED" | search severity=ERROR

ERROR Unable to force replication of the lookup file, user= <user's_name>
, namespace=SplunkEnterpriseSecuritySuite, lookup_file=lookup_file.csv Traceback (most recent call last): File "/opt/splunk/etc/apps/lookup_editor/bin/lookup_editor/__init__.py", line 415, in update self.force_lookup_replication(namespace, lookup_file, session_key) File "/opt/splunk/etc/apps/lookup_editor/bin/lookup_editor/__init__.py", line 292, in force_lookup_replication if 'No local ConfRepo registered' in content: TypeError: a bytes-like object is required, not 'str'
 
Please note the following:
1. We periodically add data to this lookup file and this is the first time recieving this error 
2. We are on the Splunk Cloud Platform
3. As a result, we are not recieving any enrichments for any new data added to that particular lookup file. Previous data is populating as normal with the dvc fields as expected. 
4. Asset lookup was added in ES and the new lookup data is shown in exported file
5. Inputlookup search is generating the new data added with the "city" field which maps to dvc_city
6. The global setting is configured for the correct city/ip mapping in ES
 
Let me know if any other information is required.

 

Labels (2)
0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...