Since if this search is run from a different search head than the number one the lookup is not updated, is it possible to run it always from the same search head? I know we could send the lookup via SFTP to the other search heads servers, but if possible we'd like to avoid it.
What am I missing here? If you have clustered search heads you also should have configured cluster replication. For a search head cluster to function properly, its members must all use the same set of search-related configurations.
Hi Azeemering. Yep, cluster replication is configured, but if you copy a lookup file under $SPLUNK_HOME/etc/apps/app_name/lookups it is updated only on that specific search head, replication is done only if click Save button from web console... or at least this is the behaviour we observed in our environment.