Getting Data In
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is My automatic lookup not working with Searchhead cluster?

aamer86
Path Finder
‎04-04-2022 12:07 PM

I have an indexing cluster and searchhead cluster. 
I want to use a csv threat feeds to add IP reputation field using automatic lookup 

I tried using all the online resources but It doesnt work 

 

anyone knows a limitation for doing the automatic lookup with SearchHead clustering 
I used the web based and the config files based option but didnt work 

I did the manual checks and all worked 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aamer86
Path Finder
‎04-09-2022 12:39 PM

thanks @Anonymous I found the problem 

I had the Security essential App installed on all search heads which include a LOOKUP table named account_status_tracker which was being used as the default source for any lookup operation (could be a bug in this app for Splunk to check) 
Once I removed the security essentials app, it worked (not sure why. the lookup was going to this table )
error.jpg

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

aamer86
Path Finder
‎04-09-2022 12:39 PM

thanks @Anonymous I found the problem 

I had the Security essential App installed on all search heads which include a LOOKUP table named account_status_tracker which was being used as the default source for any lookup operation (could be a bug in this app for Splunk to check) 
Once I removed the security essentials app, it worked (not sure why. the lookup was going to this table )
error.jpg

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎04-04-2022 11:19 PM

Please verify:

* You need to make all these configurations from SHC UI or Deployer.

* Make sure you have automatic lookup definition in the same app as your lookup csv file.

* Your automatic lookup configuration is replicated to all the search heads correctly.

* By default all CSV lookups are replicated to indexers automatically, but if not you can set "replicate=true" parameter in transforms.conf entry with your lookup definition.

* Please make sure there is no warning/error in the search.log when you try to search that data from the Job Inspect.

0 Karma
Reply
Solved! Jump to solution

aamer86
Path Finder
‎04-05-2022 05:39 AM

the automatic lookup (transforms.conf) file is not replicating from the deployer to the search heads

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎04-05-2022 06:08 AM

Have you executed the below command after making the changes?

splunk apply shcluster-bundle -target <URI>:<management_port>

 

If you are not much sure of the deployer and bundle push the command, please refer - https://docs.splunk.com/Documentation/Splunk/8.2.5/DistSearch/PropagateSHCconfigurationchanges 

0 Karma
Reply
Solved! Jump to solution

aamer86
Path Finder
‎04-06-2022 01:33 AM

yes I did this 

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎04-06-2022 04:30 AM
Please make sure you have your config in the right directory in deployer. Also, make sure the file has no permission issue.
Please check Splunk's _internal log regarding this, if you see any WARN or ERROR.
0 Karma
Reply
Solved! Jump to solution

aamer86
Path Finder
‎04-05-2022 03:31 AM

I tried it and it still not working 

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top