Splunk Search

After configuring an app and pushing the bundle to a search head cluster, why isn't a csv lookup table being deployed?

belka
Path Finder

I have a search head cluster with three nodes. I have a stand alone SH that I use to configure apps, get them configured and working, then bundle and push out to the SHCluster. Everything works great - except for a lookup_table.csv. It doesn't get pushed. The directory path that should contain the lookup_table.csv does not get created. I have tried creating the path and installing the lookup_table.csv on each of the SH nodes in the cluster. Nothing seems to work. All the other apps work, and all the dashboards in the recalcitrant app work EXCEPT the ones that need the lookup_table.csv.

Any thoughts on where to look for what is causing the disconnect?

tskinnerivsec
Contributor

When you have an app with a lookup in it properly working on your test search head, you would have to verify app/file permissions on all the files in the app, need to be owned by the account running splunk on all the search heads, if not running as root. Do you have the lookup table assigned to a sourcetype? One other thing to check would be the default.meta file that your lookup app contains. Make sure that you export everything in the app to system, so that it can be used on any search head by any splunk app. I've been bitten by permission issues like that plenty of times.

0 Karma

maciep
Champion

the lookup is in the app under shcluster/apps/[app]/lookups on your deployer? Have you been able to successfully deploy lookups in other apps in the cluster? Can you deploy another lookup in that app?

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...