https://community.splunk.com/t5/Splunk-Dev/Splunk-Distributed-Architecture/m-p/749492#M11997 <P><SPAN>We are storing data in a Splunk lookup file on one of the forwarders.</SPAN><BR /><SPAN>&nbsp;In our distributed Splunk architecture, this lookup data is not getting forwarded to the indexers or the search head, and therefore it is not available for search or enrichment.</SPAN></P><P><SPAN>&nbsp;How can we sync or transfer this lookup data from the forwarder to the search head (or indexers) so that it can be used across the distributed environment?</SPAN></P> Wed, 09 Jul 2025 11:44:04 GMT gurunagasimha 2025-07-09T11:44:04Z https://community.splunk.com/t5/Splunk-Dev/Splunk-Distributed-Architecture/m-p/749491#M11993 <P><SPAN>We are storing data in a Splunk lookup file on one of the forwarders.</SPAN><BR /><SPAN>&nbsp;In our distributed Splunk architecture, this lookup data is not getting forwarded to the indexers or the search head, and therefore it is not available for search or enrichment.</SPAN></P><P><SPAN>&nbsp;How can we sync or transfer this lookup data from the forwarder to the search head (or indexers) so that it can be used across the distributed environment?</SPAN></P><P>&nbsp;</P> Wed, 09 Jul 2025 11:40:38 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-Distributed-Architecture/m-p/749491#M11993 gurunagasimha 2025-07-09T11:40:38Z https://community.splunk.com/t5/Splunk-Dev/Splunk-Distributed-Architecture/m-p/749492#M11997 <P><SPAN>We are storing data in a Splunk lookup file on one of the forwarders.</SPAN><BR /><SPAN>&nbsp;In our distributed Splunk architecture, this lookup data is not getting forwarded to the indexers or the search head, and therefore it is not available for search or enrichment.</SPAN></P><P><SPAN>&nbsp;How can we sync or transfer this lookup data from the forwarder to the search head (or indexers) so that it can be used across the distributed environment?</SPAN></P> Wed, 09 Jul 2025 11:44:04 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-Distributed-Architecture/m-p/749492#M11997 gurunagasimha 2025-07-09T11:44:04Z https://community.splunk.com/t5/Splunk-Dev/Splunk-Distributed-Architecture/m-p/749495#M11994 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/266853">@gurunagasimha</a>&nbsp;,</P><P>the lookup, I suppose, comes from a csv or txt file, so read this file on the Forwarder and store it on an index or a lookup on the Indexers o Search Head so yu can use it.</P><P>How to do it: create on the Forwarder a file input that reads the csv file.</P><P>Ciao.</P><P>Giuseppe</P> Wed, 09 Jul 2025 11:49:28 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-Distributed-Architecture/m-p/749495#M11994 gcusello 2025-07-09T11:49:28Z https://community.splunk.com/t5/Splunk-Dev/Splunk-Distributed-Architecture/m-p/749496#M11998 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/266853">@gurunagasimha</a>&nbsp;,</P><P>why did you create two identical questions?</P><P>Anyway, see my answer in the question&nbsp;<A href="https://community.splunk.com/t5/Splunk-Dev/Splunk-Distributed-Architecture/m-p/749491#M11993" target="_blank" rel="noopener">https://community.splunk.com/t5/Splunk-Dev/Splunk-Distributed-Architecture/m-p/749491#M11993</A></P><P>Ciao.</P><P>Giuseppe</P> Wed, 09 Jul 2025 11:51:11 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-Distributed-Architecture/m-p/749496#M11998 gcusello 2025-07-09T11:51:11Z https://community.splunk.com/t5/Splunk-Dev/Splunk-Distributed-Architecture/m-p/749500#M11995 <P>Lookup format is kvstore. We are ingesting the data through scripts and storing it in lookups in the Splunk forwarder. We are using a heavy forwarder.</P><P>Is there any other way to automatically sync in the lookups?</P> Wed, 09 Jul 2025 12:17:39 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-Distributed-Architecture/m-p/749500#M11995 gurunagasimha 2025-07-09T12:17:39Z https://community.splunk.com/t5/Splunk-Dev/Splunk-Distributed-Architecture/m-p/749501#M11996 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/266853">@gurunagasimha</a>&nbsp;</P><P><SPAN>Lookup files on forwarders are not automatically forwarded from forwarders to indexers or search heads. To make lookup data available across your distributed environment you would need to send it somehow to your Search Head (Cluster) - there are a number of ways you could do this:</SPAN></P><P><SPAN>1) On your HF run a scheduled search using | inputlookup to load the contents of the lookup and then use the | collect command to write the contents to an index, on your SH/SHC you can create a scheduled search to load the indexed data and use | outputlookup to write it to a lookup</SPAN></P><P><SPAN>2) Use a custom REST API script to copy the kvstore lookup from your HF to your SH/SHC.</SPAN></P><P><SPAN>3) Use the&nbsp;KV Store Tools Redux app (<A href="https://splunkbase.splunk.com/app/5328" target="_blank">https://splunkbase.splunk.com/app/5328</A>) to upload from the HF to SHC</SPAN></P><P><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span><SPAN>&nbsp;</SPAN><STRONG>Did this answer help you?</STRONG><SPAN>&nbsp;</SPAN>If so, please consider:</P><UL><LI>Adding karma to show it was useful</LI><LI>Marking it as the solution if it resolved your issue</LI><LI>Commenting if you need any clarification</LI></UL><P>Your feedback encourages the volunteers in this community to continue contributing</P> Wed, 09 Jul 2025 12:45:38 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-Distributed-Architecture/m-p/749501#M11996 livehybrid 2025-07-09T12:45:38Z https://community.splunk.com/t5/Splunk-Dev/Splunk-Distributed-Architecture/m-p/749560#M11999 <P>Merged both threads.</P> Thu, 10 Jul 2025 11:31:31 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-Distributed-Architecture/m-p/749560#M11999 PickleRick 2025-07-10T11:31:31Z https://community.splunk.com/t5/Splunk-Dev/Splunk-Distributed-Architecture/m-p/749785#M12000 How you are creating those kvstore lookups in HF? What is the reason to use kvstore instead of csv file or modular input to send those directly into indexers? Mon, 14 Jul 2025 21:34:11 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-Distributed-Architecture/m-p/749785#M12000 isoutamo 2025-07-14T21:34:11Z https://community.splunk.com/t5/Splunk-Dev/Splunk-Distributed-Architecture/m-p/749812#M12001 <P>To use a lookup to enrich a search, the lookup needs to exist as a lookup on the Search Head<BR />A lookup on a heavy forwarder is not going to be available at search time.&nbsp;<BR /><BR />What you need to do is get a copy of the lookup on the SH.<BR /><BR />The easiest (imo) option is to index the lookup file on the HF - simply define it as an input on the HF and have Splunk monitor it for changes. You can send this to any index, but lets assume you create and use one called "lookups_index" and sourcetype "my_hf_lookup"<BR /><BR />On your search head, you can now create a lookup-generating search:<BR />Depending on what your lookup contains (dates, product_ids, error codes) you would create a search like:</P><LI-CODE lang="markup">index=lookups_index soucetype=my_hf_lookup |dedup product_code |table product_code product_description product_price |outputlookup my_sh_lookup.csv</LI-CODE><P>I like to name these something like: "<EM>LOOKUPGEN-my_sh_lookup.csv</EM>"<BR /><BR />You can then schedule that to run once a day/week/hour (depending on your anticipated lookup change frequency)<BR /><BR />You can then use:</P><LI-CODE lang="markup">|lookup my_sh_lookup.csv product_code OUTPUT product_name product_price</LI-CODE><P>In your searches<BR /><BR />- Although I find it better practice to actually create a lookup definition and use that&nbsp;</P> Tue, 15 Jul 2025 08:16:09 GMT https://community.splunk.com/t5/Splunk-Dev/Splunk-Distributed-Architecture/m-p/749812#M12001 nickhills 2025-07-15T08:16:09Z