Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

After configuring an app and pushing the bundle to a search head cluster, why isn't a csv lookup table being deployed?

belka
Path Finder
‎08-14-2015 07:36 AM

I have a search head cluster with three nodes. I have a stand alone SH that I use to configure apps, get them configured and working, then bundle and push out to the SHCluster. Everything works great - except for a lookup_table.csv. It doesn't get pushed. The directory path that should contain the lookup_table.csv does not get created. I have tried creating the path and installing the lookup_table.csv on each of the SH nodes in the cluster. Nothing seems to work. All the other apps work, and all the dashboards in the recalcitrant app work EXCEPT the ones that need the lookup_table.csv.

Any thoughts on where to look for what is causing the disconnect?

Reply

tskinnerivsec
Contributor
‎08-14-2015 10:57 AM

When you have an app with a lookup in it properly working on your test search head, you would have to verify app/file permissions on all the files in the app, need to be owned by the account running splunk on all the search heads, if not running as root. Do you have the lookup table assigned to a sourcetype? One other thing to check would be the default.meta file that your lookup app contains. Make sure that you export everything in the app to system, so that it can be used on any search head by any splunk app. I've been bitten by permission issues like that plenty of times.

0 Karma
Reply

maciep
Champion
‎08-14-2015 10:50 AM

the lookup is in the app under shcluster/apps/[app]/lookups on your deployer? Have you been able to successfully deploy lookups in other apps in the cluster? Can you deploy another lookup in that app?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...