Troubleshoot the Splunk App for Lookup File Editing

The following examples provide steps for resolving common issues that users experience in the Splunk App for Lookup File Editing.

Data imported into a CSV lookup file does not separate into columns as expected

Your CSV file might have values that misidentify as cell delimiters. For example, if you are using commas to separate your field values, but some field values include semicolons, the importer might interpret those semicolons as additional delimiters.

Make sure your CSV file uses only one of the following delimiters:

• Comma (",")
• Semicolon (";")
• Tabspace ("\t")
• Pipe ("|")
• Carrot ("^")

Also, make sure that the CSV file does not include other delimiters as field values.

The app no longer works after an upgrade

A caching issue might be the cause of the app not working after an upgrade. See, How do I clear the cache to see the changes after updating a Splunk application? in Splunk Answers.

User cannot open, load, or save lookup files

Look for applicable log messages with the following search:

index=_internal (sourcetype="lookup_editor_controller" OR sourcetype=lookup_editor_rest_handler OR sourcetype=lookup_backups_rest_handler)

Lookup file edits do not save

If the edits you make to a lookup file do not save, check the following two things to see if there are any errors:

• Browser errors
• Error logs

Check for browser errors

1. Open the console in your browser. See the following pages for instructions: https://lucidchart.zendesk.com/hc/en-us/articles/207323676-How-to-Open-the-JavaScript-Console, https://webmasters.stackexchange.com/questions/8525/how-do-i-open-the-javascript-console-in-different-browsers
2. Refresh the page and reproduce the issue.
3. Look for console logs that indicate an error.

If support is helping to troubleshoot the issue, you can generate and provide them with a HAR file. See https://support.zendesk.com/hc/en-us/articles/204410413-Generating-a-HAR-file-for-troubleshooting for details.

Check for error logs

Run the following search and see if any errors exist:

index=_internal (sourcetype="lookup_editor_controller" OR sourcetype=lookup_editor_rest_handler OR sourcetype=lookup_backups_rest_handler)

User cannot copy and paste data in bulk from Microsoft Excel or CSV files into a lookup

When copying and pasting a large number of records from a Microsoft Excel or CSV files into a lookup, the page might become unresponsive as shown in the following image.

You can avoid this situation by copying and pasting a maximum of 50 rows and 10 columns at a time. On average, copying and pasting 50 rows and 10 columns takes 5 to 7 seconds. Increasing the number of rows beyond 50 and the number of columns beyond 10 can make the page unresponsive.
If the page becomes unresponsive, you can use the Wait button. Waiting might clear the unresponsive page, but it is not guaranteed. The wait time depends on the amount of the data you copy. Copying more rows and columns increases the waiting time.

One of the REST handlers is offline

If you recently updated or installed the Splunk App for Lookup File Editing, then you might need to restart the search heads again. This is particularly important if you are using search head clustering (SHC) and the deployer recently pushed the app to the search heads.

Audit changes to the lookup file

The lookup editor keeps a log that is indexed into the _internal index. Run the following command to view the logs:

index=_internal "Lookup edited successfully" | table _time user namespace lookup_file

Set up the app on a search head cluster

Perform the following steps to set up the app on a search head cluster:

1. Install the Splunk App for Lookup File Editing on the search head cluster.
2. Use the deployer to distribute the app updates.
3. Go to $SPLUNK_HOME/etc/shcluster/apps/lookup_editor/default/restmap.conf
4. Enable replication of the lookup backups by using the REST replay feature. Add the following to restmap.conf:

   [global]
   allowRestReplay = true

5. Run the following command to push the search head cluster bundle. In this example, the value of SH-uri is https://<fqdn-of-any-sh>:8089:

   splunk apply shcluster-bundle -target <SH-uri> -preserve-lookups true

Run the app on a search head cluster

There are several things to consider when running the app on a search head cluster:

• A backup lookup file doesn't replicate unless you enable it to.
• CSV file and KV store lookups replicate automatically by default.
• Make sure that the app has been distributed to all of the search heads before troubleshooting issues with the app.
• Make sure your web-browsers are not caching older versions of the app.

Enable replication of the lookup file backups to other search heads when using a search head cluster

You can enable replication of the lookup backups by using the REST replay feature. To enable this, add the following in restmap.conf to the $SPLUNK_HOME/etc/shcluster/lookup_editor/default/restmap.conf file:

[global]
allowRestReplay = true

Enabling replication of the lookup file backups works on Splunk Enterprise version 6.3 and higher, and on Splunk Enterprise version 7.1 and higher. Do not enable replication on Splunk Enterprise versions 7.0.0 to 7.0.3 due to a bug that causes REST replay to crash splunkd.

Contact support

If you require further assistance from support, provide the following information with your support request:

1. HAR file: Reproduce the error in your browser and generate a HAR file per the following instructions: https://support.zendesk.com/hc/en-us/articles/204410413-Generating-a-HAR-file-for-troubleshooting
2. Log files:Export the log files using the following search:

   index=_internal (sourcetype="lookup_editor_controller" OR sourcetype=lookup_editor_rest_handler OR sourcetype=lookup_backups_rest_handler)