Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is My automatic lookup not working with Searchhead cluster?

aamer86
Path Finder
‎04-04-2022 12:07 PM

I have an indexing cluster and searchhead cluster. 
I want to use a csv threat feeds to add IP reputation field using automatic lookup 

I tried using all the online resources but It doesnt work 

 

anyone knows a limitation for doing the automatic lookup with SearchHead clustering 
I used the web based and the config files based option but didnt work 

I did the manual checks and all worked 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aamer86
Path Finder
‎04-09-2022 12:39 PM

thanks @Vasu I found the problem 

I had the Security essential App installed on all search heads which include a LOOKUP table named account_status_tracker which was being used as the default source for any lookup operation (could be a bug in this app for Splunk to check) 
Once I removed the security essentials app, it worked (not sure why. the lookup was going to this table )
error.jpg

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

aamer86
Path Finder
‎04-09-2022 12:39 PM

thanks @Vasu I found the problem 

I had the Security essential App installed on all search heads which include a LOOKUP table named account_status_tracker which was being used as the default source for any lookup operation (could be a bug in this app for Splunk to check) 
Once I removed the security essentials app, it worked (not sure why. the lookup was going to this table )
error.jpg

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎04-04-2022 11:19 PM

Please verify:

* You need to make all these configurations from SHC UI or Deployer.

* Make sure you have automatic lookup definition in the same app as your lookup csv file.

* Your automatic lookup configuration is replicated to all the search heads correctly.

* By default all CSV lookups are replicated to indexers automatically, but if not you can set "replicate=true" parameter in transforms.conf entry with your lookup definition.

* Please make sure there is no warning/error in the search.log when you try to search that data from the Job Inspect.

0 Karma
Reply
Solved! Jump to solution

aamer86
Path Finder
‎04-05-2022 05:39 AM

the automatic lookup (transforms.conf) file is not replicating from the deployer to the search heads

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎04-05-2022 06:08 AM

Have you executed the below command after making the changes?

splunk apply shcluster-bundle -target <URI>:<management_port>

 

If you are not much sure of the deployer and bundle push the command, please refer - https://docs.splunk.com/Documentation/Splunk/8.2.5/DistSearch/PropagateSHCconfigurationchanges 

0 Karma
Reply
Solved! Jump to solution

aamer86
Path Finder
‎04-06-2022 01:33 AM

yes I did this 

0 Karma
Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎04-06-2022 04:30 AM
Please make sure you have your config in the right directory in deployer. Also, make sure the file has no permission issue.
Please check Splunk's _internal log regarding this, if you see any WARN or ERROR.
0 Karma
Reply
Solved! Jump to solution

aamer86
Path Finder
‎04-05-2022 03:31 AM

I tried it and it still not working 

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...