Splunk Search

How to distribute lookup tables in an indexer clustering environment?

horsefez
Motivator

Hi,

I have an environment consisting of two Indexers (clustered), one search head and one master node. I already read about distributing changes in the environment over the cluster-bundle function.
Now I want to add lookup tables.

Do I need to configure and upload the files on the master node?
Can I distribute the lookup files/definitions via cluster-bundle?

Thanks in advance!

Kind regards,
pyro_wood

0 Karma
1 Solution

alemarzu
Motivator

Cluster-bundle will deploy those configurations to your Peers, not to your Search Head. To do that, use Deployment Server.

Edit: May I ask why do you want to deploy lookups to your Peers ? Search time configurations, including lookup tables go on the search head and the search head only.

View solution in original post

masonmorales
Influencer

Lookup tables typically live on your search head. Since you have a single search head (and not a search head cluster), and you want to push your lookup to the indexers, your best option would be to use a replicated KV store.

Take a look at these docs:

0 Karma

alemarzu
Motivator

Cluster-bundle will deploy those configurations to your Peers, not to your Search Head. To do that, use Deployment Server.

Edit: May I ask why do you want to deploy lookups to your Peers ? Search time configurations, including lookup tables go on the search head and the search head only.

horsefez
Motivator

I thought lookuptables need to be stored on the same peers as the data resides.

So I thought i need to upload and configure lookuptables on the master-node to then distribute them to the indexers.

0 Karma

alemarzu
Motivator

You wont need to, just drop them in your search head.

horsefez
Motivator

THANKS! This is exactly what I wanted as an answer.
Sadly I'm not able to accept comments as answers, only full postings 😕

0 Karma

alemarzu
Motivator

Cool then 😉

Dont worry about it!

0 Karma

ppablo
Retired

Just converted your comment to an answer @alemarzu 🙂 cheers!

Patrick

0 Karma

alemarzu
Motivator

Thank you!

0 Karma

fdi01
Motivator

as you don not have a DS(deployment server).
you Can use cluster-bundle to distribute the lookup-files/definitions.

0 Karma

horsefez
Motivator

So, I do need to add lookup-files on the master-node first right?

I heard about the option to import lookup-tables onto a search head and then distribute. Is this a valid option, too?

0 Karma

gyslainlatsa
Motivator

hi pyro_wood,

Search head pooling makes all files in $SPLUNK_HOME/etc/{apps,users} available for sharing. This includes *.conf files, *.meta files, view files, search scripts, lookup tables, etc

for more informations, follow this link:
http://docs.splunk.com/Documentation/Splunk/6.3.2/DistSearch/Configuresearchheadpooling

0 Karma

masonmorales
Influencer

FYI - SH Pooling is deprecated functionality - it still works, but it's not supported.

0 Karma
Get Updates on the Splunk Community!

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

[Coming Soon] Splunk Observability Cloud - Enhanced navigation with a modern look and ...

We are excited to introduce our enhanced UI that brings together AppDynamics and Splunk Observability. This is ...