Splunk Search

If you have multiple search heads do lookup tables need to be copied to all of them or does bundle replication take care of this?

kbecker
Communicator

I was under the impression that this was taken care of automatically by the bundle replication however when trying to use a lookup table created on another search head we receive an error stating it doesn't exist. On search head without the original lookup table I can find the lookup table in the $SPLUNK_HOME/var/run/searchpeers/... directory, how can I access this lookup table as I do not want to have to manually copy lookup tables around to multiple search heads.

Thanks

yannK
Splunk Employee
Splunk Employee

Bundle replication will do it, before every search.
However if your lookups (or any file in the apps) are large and changing often, it may slow down your searches.

If this is the case you may want to use another method : the mounted knowledge bundle
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Mounttheknowledgebundle

yannK
Splunk Employee
Splunk Employee

Search-head to search-peer knowledge bundle replication exists by default.

Search-head to search-head knowledge bundle replication is not an existing feature. (the way to share knowledge by other ways, see search head pooling)

0 Karma

kbecker
Communicator

What is the difference between "search-head to search-peer" replication & "search-head to search head" replication.

We have also started using Search Head Pooling on a few of our other Search Heads, enabling this caused a performance hit, so we will be disabling soon.

0 Karma

yannK
Splunk Employee
Splunk Employee

My bad, I thought that you were asking for search-head to search-peer replication.

For search-head to search head, this is NOT automatic (they are not aware of the existence of each other).
and you need to configure : seach-head pooling
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configuresearchheadpooling

0 Karma

kbecker
Communicator

That is what I thought, however it is not working. Do the apps need to be the same between search heads for this to work. For example, on search head 1 you create a lookup in App X and make it global. Search head 2 then received the bundle, but App X doesn't exist on this search head, is the lookup still accessible to all other apps on search head 2?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...