Splunk Search

After configuring an app and pushing the bundle to a search head cluster, why isn't a csv lookup table being deployed?

Path Finder

I have a search head cluster with three nodes. I have a stand alone SH that I use to configure apps, get them configured and working, then bundle and push out to the SHCluster. Everything works great - except for a lookup_table.csv. It doesn't get pushed. The directory path that should contain the lookup_table.csv does not get created. I have tried creating the path and installing the lookup_table.csv on each of the SH nodes in the cluster. Nothing seems to work. All the other apps work, and all the dashboards in the recalcitrant app work EXCEPT the ones that need the lookup_table.csv.

Any thoughts on where to look for what is causing the disconnect?


When you have an app with a lookup in it properly working on your test search head, you would have to verify app/file permissions on all the files in the app, need to be owned by the account running splunk on all the search heads, if not running as root. Do you have the lookup table assigned to a sourcetype? One other thing to check would be the default.meta file that your lookup app contains. Make sure that you export everything in the app to system, so that it can be used on any search head by any splunk app. I've been bitten by permission issues like that plenty of times.

0 Karma


the lookup is in the app under shcluster/apps/[app]/lookups on your deployer? Have you been able to successfully deploy lookups in other apps in the cluster? Can you deploy another lookup in that app?

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2023 Splunk Career Impact Report

We’ve been shouting it from the rooftops! The findings from the 2023 Splunk Career Impact Report showing that ...

Splunk Lantern | Getting Started with Edge Processor, Machine Learning Toolkit ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...