Deployment Architecture

CSV Lookups not replicating in Search Heads

jincy_18
Path Finder

Hi All,

We are using a clustered environment with 3 indexers, 3 search-heads, a deployer and a heavy weight forwarder (all running on Splunk enterprise 6.4.1).
There are saved searches that run every minute and populate values to .csv files using ** |outputlookup** command.
a) When there is a result returned by these searches, it gets replicated in all the .csv file in all search heads irrespective of which search-head executed the search.
b) When there is no result found by the search, the csv lookup file in the search head on which the search was executed is emptied. But this is not replicated in other search heads.

Why is it that only in case of emptying the csv, it is not replicated?
Are there any constraints on CSV files being replicated by the search head cluster?

Any help would be greatly appreciated!

Thanks

0 Karma

adamsaul
Communicator

Jincy,

When the CSV file is created, where is it located on the search head (regardless if the CSV is 'null' or not)?

It should be either of these locations:

$SPLUNK_HOME/etc/system/lookups
$SPLUNK_HOME/etc/apps/*/lookups

0 Karma

jincy_18
Path Finder

All the lookup files are located on below path :

$SPLUNK_HOME/etc/apps/*/lookups

0 Karma

adamsaul
Communicator

Has the 'server.conf' file for the "Captain" of your SH cluster been modified?

Within that file is the 'whitelist' for what is replicated to your cluster members. It sounds like to me that the 'whitelist' is working as intended but not replicating 'null' files. I still haven't had any luck replicating this issue on my end.

0 Karma

adamsaul
Communicator

Morning Jincy,

Have you taken a look at:
Command Reference

Are you specifying create_empty=false in your search?

Thanks,

Adam

0 Karma

adamsaul
Communicator
0 Karma

jincy_18
Path Finder

Thanks Adam.
We are not specifiying create_empty=false any where in the query. We are using a simple search query, similar to one mentioned below.

index="my_index" earliest=-0d@d and latest=now|where column1="somevalue"|table column2 column3 column4|outputlookup my_lookup.csv

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...