I am working with ES and the DVC_city filed is not populating which is derived from a lookup table file.
We have: checked the file, ensured the .csv format is correct etc, removed the fields for that particular data set and readded.
We added the data via the Lookup_editor. Upon troubleshooting, we received errors when we ran the following search: index=_internal (sourcetype=lookup_editor_rest_handler OR sourcetype=lookup_backups_rest_handler) INFO OR WARNING OR ERROR OR CRITICAL | rex field=_raw "(?<severity>(DEBUG)|(ERROR)|(WARNING)|(INFO)|(CRITICAL)) (?<message>.*)" | fillnull severity value="UNDEFINED" | search severity=ERROR
ERROR Unable to force replication of the lookup file , user= <user's_name>
, namespace=SplunkEnterpriseSecuritySuite , lookup_file=lookup_file.csv Traceback ( most recent call last ) : File " /opt/splunk/etc/apps/lookup_editor/bin/lookup_editor/__init__.py ", line 415 , in update self.force_lookup_replication ( namespace , lookup_file , session_key ) File " /opt/splunk/etc/apps/lookup_editor/bin/lookup_editor/__init__.py ", line 292 , in force_lookup_replication if ' No local ConfRepo registered ' in content: TypeError: a bytes-like object is required , not ' str'
Please note the following:
1. We periodically add data to this lookup file and this is the first time recieving this error
2. We are on the Splunk Cloud Platform
3. As a result, we are not recieving any enrichments for any new data added to that particular lookup file. Previous data is populating as normal with the dvc fields as expected.
4. Asset lookup was added in ES and the new lookup data is shown in exported file
5. Inputlookup search is generating the new data added with the "city" field which maps to dvc_city
6. The global setting is configured for the correct city/ip mapping in ES
Let me know if any other information is required.
... View more
Have anyone ran across the following issue before?
I am trying to implement the Splunk SOAR app but we are not able to select the “create server” button. We have referred to the online documentation but we do not see the option to replace each instance of phantom with splunk_app_soar.
... View more