Splunk Search

How to distribute lookup tables in an indexer clustering environment?

horsefez
Motivator

Hi,

I have an environment consisting of two Indexers (clustered), one search head and one master node. I already read about distributing changes in the environment over the cluster-bundle function.
Now I want to add lookup tables.

Do I need to configure and upload the files on the master node?
Can I distribute the lookup files/definitions via cluster-bundle?

Thanks in advance!

Kind regards,
pyro_wood

0 Karma
1 Solution

alemarzu
Motivator

Cluster-bundle will deploy those configurations to your Peers, not to your Search Head. To do that, use Deployment Server.

Edit: May I ask why do you want to deploy lookups to your Peers ? Search time configurations, including lookup tables go on the search head and the search head only.

View solution in original post

masonmorales
Influencer

Lookup tables typically live on your search head. Since you have a single search head (and not a search head cluster), and you want to push your lookup to the indexers, your best option would be to use a replicated KV store.

Take a look at these docs:

0 Karma

alemarzu
Motivator

Cluster-bundle will deploy those configurations to your Peers, not to your Search Head. To do that, use Deployment Server.

Edit: May I ask why do you want to deploy lookups to your Peers ? Search time configurations, including lookup tables go on the search head and the search head only.

horsefez
Motivator

I thought lookuptables need to be stored on the same peers as the data resides.

So I thought i need to upload and configure lookuptables on the master-node to then distribute them to the indexers.

0 Karma

alemarzu
Motivator

You wont need to, just drop them in your search head.

horsefez
Motivator

THANKS! This is exactly what I wanted as an answer.
Sadly I'm not able to accept comments as answers, only full postings 😕

0 Karma

alemarzu
Motivator

Cool then 😉

Dont worry about it!

0 Karma

ppablo
Retired

Just converted your comment to an answer @alemarzu 🙂 cheers!

Patrick

0 Karma

alemarzu
Motivator

Thank you!

0 Karma

fdi01
Motivator

as you don not have a DS(deployment server).
you Can use cluster-bundle to distribute the lookup-files/definitions.

0 Karma

horsefez
Motivator

So, I do need to add lookup-files on the master-node first right?

I heard about the option to import lookup-tables onto a search head and then distribute. Is this a valid option, too?

0 Karma

gyslainlatsa
Motivator

hi pyro_wood,

Search head pooling makes all files in $SPLUNK_HOME/etc/{apps,users} available for sharing. This includes *.conf files, *.meta files, view files, search scripts, lookup tables, etc

for more informations, follow this link:
http://docs.splunk.com/Documentation/Splunk/6.3.2/DistSearch/Configuresearchheadpooling

0 Karma

masonmorales
Influencer

FYI - SH Pooling is deprecated functionality - it still works, but it's not supported.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...