All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Trouble with lookup tables (possible bundle replication issue)

jhall0007
Path Finder
‎06-19-2017 06:28 AM

I was wondering if anyone else experienced an issue using the lookup tables in a distributed environment? I received an error indicating the indexers did not know about the lookup tables. I suspect the issue is with the large application name causing a problem with bundle replication.

0 Karma
Reply

jhall0007
Path Finder
‎06-19-2017 06:31 AM

I didn't spend to much time troubleshooting this. I just added a second app with a shorter name that included ONLY the lookup tables. It is now working fine for me. I am not looking for an answer, I was just hoping this may help someone else.

0 Karma
Reply

ccheung_splunk
Splunk Employee
Splunk Employee
‎06-29-2017 03:58 PM

jhall0007- Thanks for mentioning this. This is a known problem and will be addressed. While placing the lookups in a new app works, the problem is that the app blacklists the sample lookups in distsearch.conf. However, it's overzealous and blacklists ALL the lookups. 🙂

Out of the box:
excludeSSE1 = ...Splunk_Security_Essentials_for_Ransomware/lookups...
excludeSSE2 = ...Splunk_Security_Essentials_for_Ransomware\lookups...

Fix:
excludeSSE1 = ...Splunk_Security_Essentials_for_Ransomware/lookups/UC...
excludeSSE2 = ...Splunk_Security_Essentials_for_Ransomware\lookups\UC..

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...