Lookup Editor v4.0.7 Crash on Splunk Cloud 10.2: Root Cause & Resolution 

By Dave Cheever, Team Lead, MDR Engineering Services, Landon Bond, SOC Manager, and Oliver Dare, Senior Splunk Engineer

TL;DR 

Lookup Editor v4.0.7 crashes on affected Splunk Cloud 10.2 builds due to a Python environment isolation bug in the platform, not a flaw in the app itself. Removing the app from affected environments stops the crashes immediately. The permanent fix requires upgrading to at least Splunk Cloud 10.2.2510.18, with 10.3 being the preferred path for the most durable resolution. The technical breakdown of why this happens is below. 

The Problem 

Our engineers and analysts began seeing a pattern across several client environments: application crashes and performance degradation consistently tied to Lookup Editor v4.0.7 on Splunk Cloud. Environments running earlier versions of the app continued to operate normally, and removing Lookup Editor from affected stacks immediately restored system performance, indicating the app version was a key factor in the crash condition. 

The following error was observed in internal Splunk logs across affected environments: 

ERROR HttpListener [1793132 TcpChannelThread] - Exception while processing request from x.x.x.x:xxxxx for /en-US/splunkd/__raw/services/apps/local/lookup_editor?output_mode=json: bad character (49) in reply size 

Root Cause 

A Splunk Cloud update introduced a condition where cloud_administration’s python-dateutil and botocore dependency chain breaks the Python environment that Lookup Editor v4.0.7’s handlers are directed into via the python.required constraint. Python environment isolation was not enforced correctly in affected builds, allowing the broken state in cloud_administration’s runtime to bleed into other apps sharing that environment. When Lookup Editor tries to start its REST handlers in that affected runtime, they crash at import time before serving any requests. 

The underlying cause is a Python dependency failure. Splunk confirmed that a ModuleNotFoundError: No module named ‘six.moves’ occurs within the cloud_administration app’s REST handling path, caused by a missing dependency in the python-dateutil and botocore chain present in affected Splunk Cloud builds. Because Python environment isolation was not enforced correctly in the affected builds, this broken state in cloud_administration’s runtime propagates into the Python environment that Lookup Editor v4.0.7’s handlers are directed into via the python.required constraint. The result is that when the Lookup Editor’s handlers try to load, they inherit a broken runtime and crash at import time.  

How the Crash Happens 

Lookup Editor v4.0.7’s restmap.conf contains a directive requiring its REST handlers to run on Python 3.9 or 3.13: 

python.required = 3.9,3.13 

Because Python environment isolation was not enforced correctly in the affected builds, the handler process inherits a broken runtime where six has failed to fully initialize. When the handler loads, it imports from the lookup_editor package, triggering the transitive chain described below, which ultimately reaches shortcuts.py and this import at line 13: 

from six import StringIO  # For converting KV store array data to CSV for export 

This looks straightforward, and under normal conditions it works without issue. The app’s bundled six.py defines StringIO as a direct module-level attribute in Python 3 at line 640: 

StringIO = io.StringIO 

However, because Python environment isolation was not enforced correctly in the affected builds, the lookup_editor handler process loads into the same broken Python runtime as cloud_administration. In that environment, six cannot be cleanly imported, so when shortcuts.py calls from six import StringIO, the import fails. The exact cause traces to the same environment corruption Splunk confirmed. The root error that produces this broken shared runtime is: 

ModuleNotFoundError: No module named 'six.moves' 

This failure in shortcuts.py then cascades up the entire handler stack. While __init__.py does directly import from shortcuts at line 20, that line is never reached because the failure surfaces first through a transitive chain that begins the moment the lookup_editor package initializes. __init__.py line 18 imports lookup_backups, which at its own line 13 imports lookupfiles, which at its own line 10 imports shortcuts. That is the actual point where the six failure surfaces, confirmed by the Python traceback: 

# __init__.py, line 18 
from lookup_editor.lookup_backups import LookupBackups 
# lookup_backups.py, line 13 
from lookup_editor.lookupfiles import SplunkLookupTableFile 
# lookupfiles.py, line 10 
from lookup_editor.shortcuts import escape_filename

Both REST handlers fail at module load time, before any request is ever served. The failure path is identical for both handlers: the same __init__.py cascade runs regardless of which import triggers it. The only difference is which line in each handler file initiates the cascade. For lookup_editor_rest_handler.py that is line 51, the first import from the lookup_editor package in that file. For lookup_backups_rest_handler.py it is line 15. Lines 46-47 of the backups handler are never reached: 

# lookup_editor_rest_handler.py, line 51 (the first failure point) 
from lookup_editor import lookupfiles 
# lookup_backups_rest_handler.py, line 15 (the immediate failure point) 
from lookup_editor import shortcuts 

# lines 46-47 
from lookup_editor import LookupEditor 
from lookup_editor import rest_handler 

Because these imports happen at module initialization rather than at request time, both REST handlers crash the instant Splunk tries to load them. The handler subprocess exits abnormally, leaving splunkd’s HTTP listener with a mangled or truncated response instead of a valid HTTP reply. The listener logs this as ‘bad character (49) in reply size’, indicating it received an unexpected character where it expected a valid HTTP size indicator. 

Every subsequent request to the Lookup Editor hits this same dead endpoint. Since both REST handlers share the same underlying infrastructure, this accounts for the persistent 500 errors that affected not only the Lookup Editor but other Splunk apps as well, as the failed HTTP response from the dead endpoint surfaces through Splunk Web’s shared request layer. 

Why Earlier Versions Were Not Affected 

Version 4.0.6 and earlier do not include the python.required directive in restmap.conf. Without it, Splunk runs those app REST handlers in a different runtime that is not affected by the same six.moves corruption. The from six import StringIO import that fails in v4.0.7 has existed in the codebase across multiple versions, but it only becomes fatal when the handler is directed into the runtime constrained by python.required. Earlier versions never targeted that runtime, so they were never exposed to the broken state.  

Version 4.0.6 restmap.conf contains only: 

python.version = python3 

Version 4.0.7 adds a directive constraining the handler to a specific Python version: 

python.version = python3 
python.required = 3.9,3.13 

The conflict is therefore the result of two independent changes arriving together: the python.required directive added in v4.0.7, and the six.moves corruption present in affected Splunk Cloud 10.2 builds. Neither change alone would have caused the crash. 

Resolution 

Our engineers worked with Splunk to confirm that the fix is available in Splunk Cloud 10.2.2510.18, where Python environment isolation has been corrected. Splunk Cloud 10.3 also includes this resolution, and is the recommended upgrade path for the most durable fix. Until an upgrade is completed, the Lookup Editor app should remain removed from affected environments to prevent the crash condition from impacting system stability. 

Experiencing Splunk Cloud performance or stability issues? Connect with TekStream’s Splunk experts to get your environment back on track.

About the Authors

Dave Cheever is a seasoned cybersecurity professional with more than a decade of industry experience. Over the past six years he has specialized in Splunk, applying his expertise across both analysis and engineering roles. Beyond his civilian career, Dave serves part time in the Air Force National Guard, where he supports critical national cyber missions for organizations such as the NSA and USCYBERCOM. He holds a master’s degree in Cybersecurity from the University of Massachusetts and maintains several respected certifications, including the CISSP. He is also a certified Splunk Core Consultant and holds accreditation in Enterprise Security implementations. Dave resides near historic Plymouth, Massachusetts, America’s hometown.   

Landon Bond is an experienced IT professional with 4 years of IT related background including Tech Support and Security/Networking. Landon currently works as a mentor and leader to student analysts within the Louisiana Higher Education instructions. Landon is also responsible for promptly responding to high severity alerts within multiple Splunk environments and acting as an escalation point for student analysts. Landon holds a bachelor’s degree in general studies from the University of Central Oklahoma, and an associate’s degree in cyber security from North Central Texas College. He also holds a security focused CompTIA Security+ certification as well. Landon resides in Marietta, Oklahoma.