Where to keep the lookup file in a clustered envir...

surekhasplunk · ‎02-01-2021

Hello,

We are moving from single deployment to clustered environment.

Current scenario: for one of my dashboards i was getting the lookup file created by running a python script. using a cronjob. Since i dont want it to be indexed, i was just creating the file and placing it in the lookups folder of one of the apps where the dashboard is there.

Now when i move to clustered environment how and where do i place the script to generate the lookup

and where can i save the lookup file to automatically get shared in all the searh heads.

thanks

scelikok · ‎02-01-2021

Hi @surekhasplunk,

Since Splunk Search Head Cluster will not detect changes you make without Web UI or REST, you have two options;

1- You can create a custom search command runs your python script and than pipe to outputlookup. With this way the cluster will replicate lookup across members.

2- Running python script on every search head with cronjob.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

surekhasplunk · ‎02-02-2021

Hello @scelikok

Thank you so much for your reply.

for 1st point, if you could you please give an example snippet, that would be great

Thanks

Where to keep the lookup file in a clustered environment

CSV

scripted input

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?