I currently have a distributed splunk setup, with one search head a cluster master and three indexers and am trying to automate a way to add lookup files to this setup. The file is too large to be uploaded to the web GUI, so I have attempted to add the lookup file to
on the search head, but as soon as I do, I receive a sync error with failure reason 'NONE' and no other data is searchable through the search head. So I am wondering two things,
1; when I upload a lookup through the lookup editor app, it is added into the /lookup_editor/lookups folder, so why when I add one manually does it not like it? Is there another file I need to update?
2:What is the best way to script uploading a lookup file to splunk?
EDIT Just thought I would add an edit, as I have found out that manually creating a lookup within the folder didn't actually cause issues with the search head, this issue was the lookup I created was 8 GB and the maximum bundle size was set to 1GB, so the bundle failed to replicate and caused all these issues. So I believe it actually possible to create a lookup manually with the above method !