Splunk Search

Can you make Splunk treat lookup files as local configuration in a search head cluster?

parsonch
Engager

I am running a custom app that uses lookup files to get some of its configuration on a search head cluster.

When the lookup files are edited on a search head, they replicate across to the others with no trouble.
Today I pushed some new configuration out using the deployer for a different app and the deployer has overwritten the lookup files that had been updated on the search heads with the original files that were stored in the deployer.

Is there a way to make splunk treat the lookup files as local configuration?
I assume that if I remove the original lookup files from the deployer, it will overwrite the SH ones with an empty folder when I push out the bundle. is that correct or will it only replace the files that it has an update for and leave the rest?

Thanks

0 Karma
1 Solution

esix_splunk
Splunk Employee
Splunk Employee

See the docs about preserving lookup files through deployment and upgrades :

http://docs.splunk.com/Documentation/Splunk/6.3.1/DistSearch/PropagateSHCconfigurationchanges#Mainta...

Any app that uses lookup tables typically ships with stubs for the table files. Once the app is in use on the search head, the tables get populated as an effect of runtime processes, such as searches. When you later upgrade the app, by default the populated lookup tables get overwritten by the stub files from the latest version of the app, causing you to lose the data in the tables.

To avoid this problem, you can stipulate that the stub files in upgraded apps not overwrite any table files of the same name already on the cluster members. Run the splunk apply shcluster-bundle command on the deployer, setting the -preserve-lookups flag to "true":

splunk apply shcluster-bundle -target https://server:8089 -preserve-lookups true -auth admin:changeme

Note the following:

The default for -preserve-lookups is "false". In other words, by default, the populated lookup tables are overwritten on upgrade.

View solution in original post

esix_splunk
Splunk Employee
Splunk Employee

See the docs about preserving lookup files through deployment and upgrades :

http://docs.splunk.com/Documentation/Splunk/6.3.1/DistSearch/PropagateSHCconfigurationchanges#Mainta...

Any app that uses lookup tables typically ships with stubs for the table files. Once the app is in use on the search head, the tables get populated as an effect of runtime processes, such as searches. When you later upgrade the app, by default the populated lookup tables get overwritten by the stub files from the latest version of the app, causing you to lose the data in the tables.

To avoid this problem, you can stipulate that the stub files in upgraded apps not overwrite any table files of the same name already on the cluster members. Run the splunk apply shcluster-bundle command on the deployer, setting the -preserve-lookups flag to "true":

splunk apply shcluster-bundle -target https://server:8089 -preserve-lookups true -auth admin:changeme

Note the following:

The default for -preserve-lookups is "false". In other words, by default, the populated lookup tables are overwritten on upgrade.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...