I have an external lookup that is working fine, but due to firewall restrictions, I need to force the external lookup to be executed in the search peer rather in than the search head. I set the local argument parameter of the lookup command to false, but no luck.
| lookup local=false SolrLookupRepeater host as host OUTPUT SolrMeta as SolrMeta
A similar example could be using the external dnsLookup which is an external lookup that is part of the splunk framework.
According to the lookup command documentation:
The argument "local" should do the trick.
Description: If local=true, forces the lookup to run on the search head and not on any remote peers.
It is important to mention that the external lookup is found in the search head and search peer. Both return results if it is ran locally. The permission of the external lookup is set to global in the search head and search peer.
The local argument of the lookup command should be honored as documented.
Any idea why the external lookup is not executed by the search peer when local=false?
You've indicated that you do not wish to run the command on the peers (read: indexers) because of firewall restrictions. In that event, you want "local=true" to force it to run in the reduce portion of the search, on the search head itself.
I was mistaken about where you wanted the search to run the lookup. Providing the "lookup=false" argument to an explicit lookup command may run that command on the search if the search pipeline places the command in the "map" portion (read: remoteSearch in job inspector) of the search. That depends upon what other commands are part of the search. You haven't provided that bit, so I don't know, but you could try it yourself. Once the job is complete, visit the job inspector and look for remoteSearch vs. reportSearch; if the lookup is in reportSearch, you'll have to move it before whatever is at the end of remoteSearch (and things like 'stats' become 'prestats') to parallelize the lookup.
I used the job inspector and the dispatch search directory to identify the context of the search. The lookup is not found in the remoteSearch.
The construct of the search query is as follow:
index=main sourcetype="site-repeater-solr" splunk_server=search_peer host=hostname|dedup host| lookup local=false SolrLookupRepeater host as host OUTPUT SolrMeta as SolrMeta| spath input=SolrMeta| then a bunch of eval expressions| table value1 to value
As you can see, I do not have any aggregation function like stats or time chart etc.
Any idea how to make it work?
I just played with the query following your suggestion and it worked.
If I remove the command "dedup host", the external lookup works as expected. Based on these premisses, the "local=false" argument of the lookup command is not honored if there is a reduce function before the command. This may impose some limitations to the intended results.
Is there anything I can do to force the argument "local=true" to be always honored?
Thanks for your help.
If the lookup is done immediately after your "event gathering" search, it can parallelize and there's less opportunity for a reducing function to occur before the lookup. Unfortunately, I don't know of another way to force the lookup to occur on the peers. I've typically only seen the "local" flag invoked as "true" to force the lookup to occur on the SH instead.
I am a little unclear on three expressions that you used:
dynamic lookup - is this an external lookup?
master head - is this a search head, is it a member of a search head cluster?
search peer - as Splunk uses the term, this would be an indexer. Is this an indexer? Is the indexer a member of an indexer cluster?
Finally, what do you mean by "it" when you say "execute it in a specific search peer"? When you call a lookup, it is executed.
Clearly, I am confused. Sorry, there are just so many terms these days...