Splunk Search

How to distribute lookup tables in an indexer clustering environment?

horsefez
SplunkTrust
SplunkTrust

Hi,

I have an environment consisting of two Indexers (clustered), one search head and one master node. I already read about distributing changes in the environment over the cluster-bundle function.
Now I want to add lookup tables.

Do I need to configure and upload the files on the master node?
Can I distribute the lookup files/definitions via cluster-bundle?

Thanks in advance!

Kind regards,
pyro_wood

0 Karma
1 Solution

alemarzu
Motivator

Cluster-bundle will deploy those configurations to your Peers, not to your Search Head. To do that, use Deployment Server.

Edit: May I ask why do you want to deploy lookups to your Peers ? Search time configurations, including lookup tables go on the search head and the search head only.

View solution in original post

masonmorales
Influencer

Lookup tables typically live on your search head. Since you have a single search head (and not a search head cluster), and you want to push your lookup to the indexers, your best option would be to use a replicated KV store.

Take a look at these docs:

0 Karma

alemarzu
Motivator

Cluster-bundle will deploy those configurations to your Peers, not to your Search Head. To do that, use Deployment Server.

Edit: May I ask why do you want to deploy lookups to your Peers ? Search time configurations, including lookup tables go on the search head and the search head only.

View solution in original post

horsefez
SplunkTrust
SplunkTrust

I thought lookuptables need to be stored on the same peers as the data resides.

So I thought i need to upload and configure lookuptables on the master-node to then distribute them to the indexers.

0 Karma

alemarzu
Motivator

You wont need to, just drop them in your search head.

horsefez
SplunkTrust
SplunkTrust

THANKS! This is exactly what I wanted as an answer.
Sadly I'm not able to accept comments as answers, only full postings 😕

0 Karma

alemarzu
Motivator

Cool then 😉

Dont worry about it!

0 Karma

ppablo
Community Manager
Community Manager

Just converted your comment to an answer @alemarzu 🙂 cheers!

Patrick

0 Karma

alemarzu
Motivator

Thank you!

0 Karma

fdi01
Motivator

as you don not have a DS(deployment server).
you Can use cluster-bundle to distribute the lookup-files/definitions.

0 Karma

horsefez
SplunkTrust
SplunkTrust

So, I do need to add lookup-files on the master-node first right?

I heard about the option to import lookup-tables onto a search head and then distribute. Is this a valid option, too?

0 Karma

gyslainlatsa
Motivator

hi pyro_wood,

Search head pooling makes all files in $SPLUNK_HOME/etc/{apps,users} available for sharing. This includes *.conf files, *.meta files, view files, search scripts, lookup tables, etc

for more informations, follow this link:
http://docs.splunk.com/Documentation/Splunk/6.3.2/DistSearch/Configuresearchheadpooling

0 Karma

masonmorales
Influencer

FYI - SH Pooling is deprecated functionality - it still works, but it's not supported.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.