Splunk Enterprise Security

Why does adding head (1==1) fix this strange lookup error?


Both queries work on our non ES server; however, only the first query works on our ES server.

This query works in both places:

| head (1==1)
| lookup myserverlist my_host

This query throws the following error on our ES server:
Streamed search execute failed because: "[IndexServerName] Error in 'lookup' command: Could not construct lookup 'myserverlist , my_host'. See search.log for more details.." I've looked at the search.log file and found nothing useful.

| lookup myserverlist my_host
0 Karma

Re: Why does adding head (1==1) fix this strange lookup error?


The lookup command is a distributable streaming command when local=false, which is the default setting. And distributable streaming command runs on indexer servers. So in your second query lookup is running on indexer server: [IndexServerName] and failing as it is not created there. You need to provide local=true in lookup command to run it on search heads.

| lookup local=true myserverlist my_host

Why the first query works?
it is using head command which is a centralized streaming command which only runs on search heads. Before head command executed indexers send the results to the search head and all the next commands will be run on search head only. So in this case lookup will be run on search head so it works.

Check this link to understand this better: https://docs.splunk.com/Documentation/Splunk/8.0.2/Search/Writebettersearches#Parallel_processing_ex...

Check below links for more info:

View solution in original post

Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.