Splunk Search

Can you make Splunk treat lookup files as local configuration in a search head cluster?

parsonch
Engager

I am running a custom app that uses lookup files to get some of its configuration on a search head cluster.

When the lookup files are edited on a search head, they replicate across to the others with no trouble.
Today I pushed some new configuration out using the deployer for a different app and the deployer has overwritten the lookup files that had been updated on the search heads with the original files that were stored in the deployer.

Is there a way to make splunk treat the lookup files as local configuration?
I assume that if I remove the original lookup files from the deployer, it will overwrite the SH ones with an empty folder when I push out the bundle. is that correct or will it only replace the files that it has an update for and leave the rest?

Thanks

0 Karma
1 Solution

esix_splunk
Splunk Employee
Splunk Employee

See the docs about preserving lookup files through deployment and upgrades :

http://docs.splunk.com/Documentation/Splunk/6.3.1/DistSearch/PropagateSHCconfigurationchanges#Mainta...

Any app that uses lookup tables typically ships with stubs for the table files. Once the app is in use on the search head, the tables get populated as an effect of runtime processes, such as searches. When you later upgrade the app, by default the populated lookup tables get overwritten by the stub files from the latest version of the app, causing you to lose the data in the tables.

To avoid this problem, you can stipulate that the stub files in upgraded apps not overwrite any table files of the same name already on the cluster members. Run the splunk apply shcluster-bundle command on the deployer, setting the -preserve-lookups flag to "true":

splunk apply shcluster-bundle -target https://server:8089 -preserve-lookups true -auth admin:changeme

Note the following:

The default for -preserve-lookups is "false". In other words, by default, the populated lookup tables are overwritten on upgrade.

View solution in original post

esix_splunk
Splunk Employee
Splunk Employee

See the docs about preserving lookup files through deployment and upgrades :

http://docs.splunk.com/Documentation/Splunk/6.3.1/DistSearch/PropagateSHCconfigurationchanges#Mainta...

Any app that uses lookup tables typically ships with stubs for the table files. Once the app is in use on the search head, the tables get populated as an effect of runtime processes, such as searches. When you later upgrade the app, by default the populated lookup tables get overwritten by the stub files from the latest version of the app, causing you to lose the data in the tables.

To avoid this problem, you can stipulate that the stub files in upgraded apps not overwrite any table files of the same name already on the cluster members. Run the splunk apply shcluster-bundle command on the deployer, setting the -preserve-lookups flag to "true":

splunk apply shcluster-bundle -target https://server:8089 -preserve-lookups true -auth admin:changeme

Note the following:

The default for -preserve-lookups is "false". In other words, by default, the populated lookup tables are overwritten on upgrade.

Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...