Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is My automatic lookup not working with Searchhead cluster?

aamer86
Path Finder
‎04-04-2022 12:07 PM

I have an indexing cluster and searchhead cluster. 
I want to use a csv threat feeds to add IP reputation field using automatic lookup 

I tried using all the online resources but It doesnt work 

 

anyone knows a limitation for doing the automatic lookup with SearchHead clustering 
I used the web based and the config files based option but didnt work 

I did the manual checks and all worked 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aamer86
Path Finder
‎04-09-2022 12:39 PM

thanks @Anonymous I found the problem 

I had the Security essential App installed on all search heads which include a LOOKUP table named account_status_tracker which was being used as the default source for any lookup operation (could be a bug in this app for Splunk to check) 
Once I removed the security essentials app, it worked (not sure why. the lookup was going to this table )
error.jpg

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

aamer86
Path Finder
‎04-09-2022 12:39 PM

thanks @Anonymous I found the problem 

I had the Security essential App installed on all search heads which include a LOOKUP table named account_status_tracker which was being used as the default source for any lookup operation (could be a bug in this app for Splunk to check) 
Once I removed the security essentials app, it worked (not sure why. the lookup was going to this table )
error.jpg

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎04-04-2022 11:19 PM

Please verify:

* You need to make all these configurations from SHC UI or Deployer.

* Make sure you have automatic lookup definition in the same app as your lookup csv file.

* Your automatic lookup configuration is replicated to all the search heads correctly.

* By default all CSV lookups are replicated to indexers automatically, but if not you can set "replicate=true" parameter in transforms.conf entry with your lookup definition.

* Please make sure there is no warning/error in the search.log when you try to search that data from the Job Inspect.

0 Karma
Reply
Solved! Jump to solution

aamer86
Path Finder
‎04-05-2022 05:39 AM

the automatic lookup (transforms.conf) file is not replicating from the deployer to the search heads

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎04-05-2022 06:08 AM

Have you executed the below command after making the changes?

splunk apply shcluster-bundle -target <URI>:<management_port>

 

If you are not much sure of the deployer and bundle push the command, please refer - https://docs.splunk.com/Documentation/Splunk/8.2.5/DistSearch/PropagateSHCconfigurationchanges 

0 Karma
Reply
Solved! Jump to solution

aamer86
Path Finder
‎04-06-2022 01:33 AM

yes I did this 

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎04-06-2022 04:30 AM
Please make sure you have your config in the right directory in deployer. Also, make sure the file has no permission issue.
Please check Splunk's _internal log regarding this, if you see any WARN or ERROR.
0 Karma
Reply
Solved! Jump to solution

aamer86
Path Finder
‎04-05-2022 03:31 AM

I tried it and it still not working 

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...