Hi,
I have an environment consisting of two Indexers (clustered), one search head and one master node. I already read about distributing changes in the environment over the cluster-bundle function.
Now I want to add lookup tables.
Do I need to configure and upload the files on the master node?
Can I distribute the lookup files/definitions via cluster-bundle?
Thanks in advance!
Kind regards,
pyro_wood
Cluster-bundle will deploy those configurations to your Peers, not to your Search Head. To do that, use Deployment Server.
Edit: May I ask why do you want to deploy lookups to your Peers ? Search time configurations, including lookup tables go on the search head and the search head only.
Lookup tables typically live on your search head. Since you have a single search head (and not a search head cluster), and you want to push your lookup to the indexers, your best option would be to use a replicated KV store.
Take a look at these docs:
Cluster-bundle will deploy those configurations to your Peers, not to your Search Head. To do that, use Deployment Server.
Edit: May I ask why do you want to deploy lookups to your Peers ? Search time configurations, including lookup tables go on the search head and the search head only.
I thought lookuptables need to be stored on the same peers as the data resides.
So I thought i need to upload and configure lookuptables on the master-node to then distribute them to the indexers.
You wont need to, just drop them in your search head.
THANKS! This is exactly what I wanted as an answer.
Sadly I'm not able to accept comments as answers, only full postings 😕
Cool then 😉
Dont worry about it!
Just converted your comment to an answer @alemarzu 🙂 cheers!
Patrick
Thank you!
as you don not have a DS(deployment server).
you Can use cluster-bundle to distribute the lookup-files/definitions.
So, I do need to add lookup-files on the master-node first right?
I heard about the option to import lookup-tables onto a search head and then distribute. Is this a valid option, too?
hi pyro_wood,
Search head
pooling makes all files in $SPLUNK_HOME/etc/{apps,users} available for sharing. This includes *.conf files, *.meta files, view files, search scripts, lookup tables
, etc
for more informations, follow this link:
http://docs.splunk.com/Documentation/Splunk/6.3.2/DistSearch/Configuresearchheadpooling
FYI - SH Pooling is deprecated functionality - it still works, but it's not supported.