Maybe I'm still new to SHC's, but I was expecting that since adding a new app typically required restarts, that it was doing this in the background when applying the shcluster-bundle.

Performing a rolling-restart did fix the problem for me, I'm on RHEL 7.

Thanks for your assistance Luke.

Thanks a lot @LukeMurphey, the rolling restart helped.
Really Appreciate your help. 🙂

You not alone, this threw me off too (and several others)!

I ran through a live debugging session with several people and none of us thought to try this until the administrator decided just to give it a shot. Sure enough, it worked.

@kcepull: could you try version 2.7.0?

I have deployed this on an SHC environment and cannot get a repro on this. I'm wondering if this is limited to 2.7.1.

We tried 2.7.0, and got the same results (error).

Do you see any errors when you run the following search? Make sure to run if far enough back that it includes the time that the Splunk was started.

index=_internal lookup_edit sourcetype=splunk_web_service ERROR

The only errors I see from that search are ones like these:

2017-10-19 16:53:46,563 INFO [59e910dz8c7f8ca46e80] error: 138 - Masking the original 404 message: 'The path '/en-US/custom/lookup_editor/lookup_edit/get_lookup_backups_list' was not found.' with 'Page not found!' for security reasons

I don't see any errors from startup. (NOTE: we deployed the app by dropping it on the Deployer, then pushing it to the SHC. I'm not sure if the SH gets restarted automatically by this process or not.)

Running Splunk as root, and logged in as Admin. No lookup files can be viewed/opened in the app.

Also of note, in your troubleshooting suggestion:
index=_internal sourcetype="lookup_editor_controller"

Returns no results.

Thats a good find. It sounds like the controller couldn't start.

Could you run a search for the following and let me know if it shows anything of value (especially if any of the messages indicate an error)?

index=_internal lookup_edit sourcetype=splunk_web_service

Ah, that gives something:

2017-10-16 11:22:00,555 INFO [59e4f8c88b7f1ae85b9d90] error:133 - Masking the original 404 message: 'The path '/en-US/custom/lookup_editor/lookup_edit/get_lookup_contents' was not found.' with 'Page not found!' for security reasons

Do you also see an error that indicates why the controller couldn't load? It should somewhere around the time that Splunk started.

It may appear with this search:

index=_internal lookup_edit sourcetype=splunk_web_service ERROR

just more page not found messages:

2017-10-12 11:59:01,664 INFO    [59dfbb75a77fadc4208750] error:133 - Masking the original 404 message: 'The path '/en-US/custom/lookup_editor/lookup_edit/save' was not found.' with 'Page not found!' for security reasons
2017-10-12 10:34:02,935 INFO    [59dfa78aec7f695c31cbd0] error:133 - Masking the original 404 message: 'The path '/en-US/custom/lookup_editor/lookup_edit/get_lookup_backups_list' was not found.' with 'Page not found!' for security reasons
2017-10-12 10:34:02,717 INFO    [59dfa78ab57f695c31ce90] error:133 - Masking the original 404 message: 'The path '/en-US/custom/lookup_editor/lookup_edit/get_lookup_contents' was not found.' with 'Page not found!' for security reasons
2017-10-12 10:28:37,443 INFO    [59dfa6456e7f695c57aa10] error:133 - Masking the original 404 message: 'The path '/en-US/custom/lookup_editor/lookup_edit/save' was not found.' with 'Page not found!' for security reasons
2017-10-12 10:28:33,226 INFO    [59dfa641357f695c57aa50] error:133 - Masking the original 404 message: 'The path '/en-US/custom/lookup_editor/lookup_edit/save' was not found.' with 'Page not found!' for security reasons
2017-10-12 10:27:03,380 INFO    [59dfa5e75f7f695c637710] error:133 - Masking the original 404 message: 'The path '/en-US/custom/lookup_editor/lookup_edit/get_lookup_backups_list' was not found.' with 'Page not found!' for security reasons
2017-10-12 10:27:03,315 INFO    [59dfa5e74e7f698052f550] error:133 - Masking the original 404 message: 'The path '/en-US/custom/lookup_editor/lookup_edit/get_lookup_contents' was not found.' with 'Page not found!' for security reasons

Could you verify that the following two files exist on one of the affected search heads?

1. $SPLUNK_HOME/etc/apps/lookup_editor/appserver/controllers/lookup_edit.py
2. $SPLUNK_HOME/etc/apps/lookup_editor/default/web.conf

If those exist, then make sure that web.conf includes the following:

[endpoint:lookup_edit]

Both exist, and web.conf has that content on all 3 of my SHC nodes.

BTW: sorry for the extensive debugging questions. I tried several times to reproduce this in various environments (various Splunk versions, SHC and standalone, etc) but couldn't get it to reproduce for me.