Splunk Enterprise

Why are dvc fields (e.g dvc_city) not populating/ possible error with Lookup_Editor app/ lookup file?


I am working with ES and the DVC_city filed is not populating which is derived from a lookup table file.

We have: checked the file, ensured the .csv format is correct etc, removed the fields for that particular data set and readded. 

We added the data via the Lookup_editor. Upon troubleshooting, we received errors when we ran the following search: index=_internal (sourcetype=lookup_editor_rest_handler OR sourcetype=lookup_backups_rest_handler) INFO OR WARNING OR ERROR OR CRITICAL | rex field=_raw "(?<severity>(DEBUG)|(ERROR)|(WARNING)|(INFO)|(CRITICAL)) (?<message>.*)" | fillnull severity value="UNDEFINED" | search severity=ERROR

ERROR Unable to force replication of the lookup file, user= <user's_name>
, namespace=SplunkEnterpriseSecuritySuite, lookup_file=lookup_file.csv Traceback (most recent call last): File "/opt/splunk/etc/apps/lookup_editor/bin/lookup_editor/__init__.py", line 415, in update self.force_lookup_replication(namespace, lookup_file, session_key) File "/opt/splunk/etc/apps/lookup_editor/bin/lookup_editor/__init__.py", line 292, in force_lookup_replication if 'No local ConfRepo registered' in content: TypeError: a bytes-like object is required, not 'str'
Please note the following:
1. We periodically add data to this lookup file and this is the first time recieving this error 
2. We are on the Splunk Cloud Platform
3. As a result, we are not recieving any enrichments for any new data added to that particular lookup file. Previous data is populating as normal with the dvc fields as expected. 
4. Asset lookup was added in ES and the new lookup data is shown in exported file
5. Inputlookup search is generating the new data added with the "city" field which maps to dvc_city
6. The global setting is configured for the correct city/ip mapping in ES
Let me know if any other information is required.


Labels (2)
0 Karma
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...