I was under the impression that this was taken care of automatically by the bundle replication however when trying to use a lookup table created on another search head we receive an error stating it doesn't exist. On search head without the original lookup table I can find the lookup table in the $SPLUNK_HOME/var/run/searchpeers/... directory, how can I access this lookup table as I do not want to have to manually copy lookup tables around to multiple search heads.
Bundle replication will do it, before every search.
However if your lookups (or any file in the apps) are large and changing often, it may slow down your searches.
If this is the case you may want to use another method : the mounted knowledge bundle
That is what I thought, however it is not working. Do the apps need to be the same between search heads for this to work. For example, on search head 1 you create a lookup in App X and make it global. Search head 2 then received the bundle, but App X doesn't exist on this search head, is the lookup still accessible to all other apps on search head 2?
My bad, I thought that you were asking for search-head to search-peer replication.
For search-head to search head, this is NOT automatic (they are not aware of the existence of each other).
and you need to configure : seach-head pooling
What is the difference between "search-head to search-peer" replication & "search-head to search head" replication.
We have also started using Search Head Pooling on a few of our other Search Heads, enabling this caused a performance hit, so we will be disabling soon.
Search-head to search-peer knowledge bundle replication exists by default.
Search-head to search-head knowledge bundle replication is not an existing feature. (the way to share knowledge by other ways, see search head pooling)