Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you make Splunk treat lookup files as local configuration in a search head cluster?

parsonch
Engager
‎11-22-2015 03:48 PM

I am running a custom app that uses lookup files to get some of its configuration on a search head cluster.

When the lookup files are edited on a search head, they replicate across to the others with no trouble.
Today I pushed some new configuration out using the deployer for a different app and the deployer has overwritten the lookup files that had been updated on the search heads with the original files that were stored in the deployer.

Is there a way to make splunk treat the lookup files as local configuration?
I assume that if I remove the original lookup files from the deployer, it will overwrite the SH ones with an empty folder when I push out the bundle. is that correct or will it only replace the files that it has an update for and leave the rest?

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎11-22-2015 10:21 PM

See the docs about preserving lookup files through deployment and upgrades :

http://docs.splunk.com/Documentation/Splunk/6.3.1/DistSearch/PropagateSHCconfigurationchanges#Mainta...

Any app that uses lookup tables typically ships with stubs for the table files. Once the app is in use on the search head, the tables get populated as an effect of runtime processes, such as searches. When you later upgrade the app, by default the populated lookup tables get overwritten by the stub files from the latest version of the app, causing you to lose the data in the tables.

To avoid this problem, you can stipulate that the stub files in upgraded apps not overwrite any table files of the same name already on the cluster members. Run the splunk apply shcluster-bundle command on the deployer, setting the -preserve-lookups flag to "true":

splunk apply shcluster-bundle -target https://server:8089 -preserve-lookups true -auth admin:changeme

Note the following:

The default for -preserve-lookups is "false". In other words, by default, the populated lookup tables are overwritten on upgrade.

View solution in original post

Reply
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎11-22-2015 10:21 PM

See the docs about preserving lookup files through deployment and upgrades :

http://docs.splunk.com/Documentation/Splunk/6.3.1/DistSearch/PropagateSHCconfigurationchanges#Mainta...

Any app that uses lookup tables typically ships with stubs for the table files. Once the app is in use on the search head, the tables get populated as an effect of runtime processes, such as searches. When you later upgrade the app, by default the populated lookup tables get overwritten by the stub files from the latest version of the app, causing you to lose the data in the tables.

To avoid this problem, you can stipulate that the stub files in upgraded apps not overwrite any table files of the same name already on the cluster members. Run the splunk apply shcluster-bundle command on the deployer, setting the -preserve-lookups flag to "true":

splunk apply shcluster-bundle -target https://server:8089 -preserve-lookups true -auth admin:changeme

Note the following:

The default for -preserve-lookups is "false". In other words, by default, the populated lookup tables are overwritten on upgrade.

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...