Splunk Enterprise

Single csv lookup file not updating from deployer

fatsug
Contributor

Hi there

I've run into an issue where I can sort of guess why I'm having issues though have no clear idea regarding how to solve it.

In our distributed environment we have a "lookup app" in our deployer,

TA_lookups/lookups/lookupfile.csv

Recently a coworker added a few new lookup files and made additions to the file in question.

This is where the problem manifests, logging onto the deployer, checking that the correct files are present in

/opt/splunk/etc/shcluster/apps/TA_lookups/lookups/lookupfile.csv

Everything looks great. Applying the bundle worked without any complaints/errors. All the new csv files show up in the cluster and are accesible from the GUI, however.

This one file, the "lookupfile.csv" is not updated.

So I can sort of guess that it may have something to do with the file being in use or something, though I am stompt as to how I should go about solving this?

I've tried making some additional changes to the file, checked for any wierd linebraking or something, and nothing.

I can se from the CLI that this one file has not been modified since the initial deployment, so the deployer applies the bundle, there are no complaints on either end that I can find, it just skips this one pre-existing csv file completely and as far as I can see, silently.

What do I do here? Is there a way to "force" the push? Is the only way to solve this to just manually remove the app from the SH cluster an push again? All suggestions are welcome 🙂

Best regards

Labels (1)
Tags (2)
0 Karma
1 Solution

fatsug
Contributor

Never figured out the "why" part, but there is a "how" part.

Finding no explanation or solution and with no "force push" option, having exhausted all other options I ended up manually transfered the lookup files to the appropriate locations in the cluster with the correct ownership etc and it "just worked".

So "problem solved"

View solution in original post

0 Karma

fatsug
Contributor

Never figured out the "why" part, but there is a "how" part.

Finding no explanation or solution and with no "force push" option, having exhausted all other options I ended up manually transfered the lookup files to the appropriate locations in the cluster with the correct ownership etc and it "just worked".

So "problem solved"

0 Karma

inventsekar
SplunkTrust
SplunkTrust

the deployment server to UF's app push works bit strange. 

it may take, even years, to understand this DS and the apps structure. good that you are able to understand the how part. 

thanks for updating your own question. maybe you can do "accept as solution" to post, thanks. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

fatsug
Contributor

We'll it's all a bit of magic isn't it 🙂 In this case it was the seach head deployer pushing the CSV files to the seach head cluster. Though I've seen similar issues from the deployment server trying to push changes to the heavy forwarder layer.

Sure, I guess even if the cause of the issue remains clouded in mystery, the actual problem is solved and I should accept this as the solution.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...