Splunk Enterprise

Single csv lookup file not updating from deployer

fatsug
Contributor

Hi there

I've run into an issue where I can sort of guess why I'm having issues though have no clear idea regarding how to solve it.

In our distributed environment we have a "lookup app" in our deployer,

TA_lookups/lookups/lookupfile.csv

Recently a coworker added a few new lookup files and made additions to the file in question.

This is where the problem manifests, logging onto the deployer, checking that the correct files are present in

/opt/splunk/etc/shcluster/apps/TA_lookups/lookups/lookupfile.csv

Everything looks great. Applying the bundle worked without any complaints/errors. All the new csv files show up in the cluster and are accesible from the GUI, however.

This one file, the "lookupfile.csv" is not updated.

So I can sort of guess that it may have something to do with the file being in use or something, though I am stompt as to how I should go about solving this?

I've tried making some additional changes to the file, checked for any wierd linebraking or something, and nothing.

I can se from the CLI that this one file has not been modified since the initial deployment, so the deployer applies the bundle, there are no complaints on either end that I can find, it just skips this one pre-existing csv file completely and as far as I can see, silently.

What do I do here? Is there a way to "force" the push? Is the only way to solve this to just manually remove the app from the SH cluster an push again? All suggestions are welcome 🙂

Best regards

Labels (1)
Tags (2)
0 Karma
1 Solution

fatsug
Contributor

Never figured out the "why" part, but there is a "how" part.

Finding no explanation or solution and with no "force push" option, having exhausted all other options I ended up manually transfered the lookup files to the appropriate locations in the cluster with the correct ownership etc and it "just worked".

So "problem solved"

View solution in original post

0 Karma

fatsug
Contributor

Never figured out the "why" part, but there is a "how" part.

Finding no explanation or solution and with no "force push" option, having exhausted all other options I ended up manually transfered the lookup files to the appropriate locations in the cluster with the correct ownership etc and it "just worked".

So "problem solved"

0 Karma

inventsekar
SplunkTrust
SplunkTrust

the deployment server to UF's app push works bit strange. 

it may take, even years, to understand this DS and the apps structure. good that you are able to understand the how part. 

thanks for updating your own question. maybe you can do "accept as solution" to post, thanks. 

0 Karma

fatsug
Contributor

We'll it's all a bit of magic isn't it 🙂 In this case it was the seach head deployer pushing the CSV files to the seach head cluster. Though I've seen similar issues from the deployment server trying to push changes to the heavy forwarder layer.

Sure, I guess even if the cause of the issue remains clouded in mystery, the actual problem is solved and I should accept this as the solution.

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...