Splunk Enterprise

Single csv lookup file not updating from deployer

fatsug
Contributor

Hi there

I've run into an issue where I can sort of guess why I'm having issues though have no clear idea regarding how to solve it.

In our distributed environment we have a "lookup app" in our deployer,

TA_lookups/lookups/lookupfile.csv

Recently a coworker added a few new lookup files and made additions to the file in question.

This is where the problem manifests, logging onto the deployer, checking that the correct files are present in

/opt/splunk/etc/shcluster/apps/TA_lookups/lookups/lookupfile.csv

Everything looks great. Applying the bundle worked without any complaints/errors. All the new csv files show up in the cluster and are accesible from the GUI, however.

This one file, the "lookupfile.csv" is not updated.

So I can sort of guess that it may have something to do with the file being in use or something, though I am stompt as to how I should go about solving this?

I've tried making some additional changes to the file, checked for any wierd linebraking or something, and nothing.

I can se from the CLI that this one file has not been modified since the initial deployment, so the deployer applies the bundle, there are no complaints on either end that I can find, it just skips this one pre-existing csv file completely and as far as I can see, silently.

What do I do here? Is there a way to "force" the push? Is the only way to solve this to just manually remove the app from the SH cluster an push again? All suggestions are welcome 🙂

Best regards

Labels (1)
Tags (2)
0 Karma
1 Solution

fatsug
Contributor

Never figured out the "why" part, but there is a "how" part.

Finding no explanation or solution and with no "force push" option, having exhausted all other options I ended up manually transfered the lookup files to the appropriate locations in the cluster with the correct ownership etc and it "just worked".

So "problem solved"

View solution in original post

0 Karma

fatsug
Contributor

Never figured out the "why" part, but there is a "how" part.

Finding no explanation or solution and with no "force push" option, having exhausted all other options I ended up manually transfered the lookup files to the appropriate locations in the cluster with the correct ownership etc and it "just worked".

So "problem solved"

0 Karma

inventsekar
SplunkTrust
SplunkTrust

the deployment server to UF's app push works bit strange. 

it may take, even years, to understand this DS and the apps structure. good that you are able to understand the how part. 

thanks for updating your own question. maybe you can do "accept as solution" to post, thanks. 

0 Karma

fatsug
Contributor

We'll it's all a bit of magic isn't it 🙂 In this case it was the seach head deployer pushing the CSV files to the seach head cluster. Though I've seen similar issues from the deployment server trying to push changes to the heavy forwarder layer.

Sure, I guess even if the cause of the issue remains clouded in mystery, the actual problem is solved and I should accept this as the solution.

0 Karma
Get Updates on the Splunk Community!

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...