Splunk Search
Highlighted

If you have multiple search heads do lookup tables need to be copied to all of them or does bundle replication take care of this?

Communicator

I was under the impression that this was taken care of automatically by the bundle replication however when trying to use a lookup table created on another search head we receive an error stating it doesn't exist. On search head without the original lookup table I can find the lookup table in the $SPLUNK_HOME/var/run/searchpeers/... directory, how can I access this lookup table as I do not want to have to manually copy lookup tables around to multiple search heads.

Thanks

Highlighted

Re: If you have multiple search heads do lookup tables need to be copied to all of them or does bundle replication take care of this?

Splunk Employee
Splunk Employee

Bundle replication will do it, before every search.
However if your lookups (or any file in the apps) are large and changing often, it may slow down your searches.

If this is the case you may want to use another method : the mounted knowledge bundle
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Mounttheknowledgebundle

Highlighted

Re: If you have multiple search heads do lookup tables need to be copied to all of them or does bundle replication take care of this?

Communicator

That is what I thought, however it is not working. Do the apps need to be the same between search heads for this to work. For example, on search head 1 you create a lookup in App X and make it global. Search head 2 then received the bundle, but App X doesn't exist on this search head, is the lookup still accessible to all other apps on search head 2?

0 Karma
Highlighted

Re: If you have multiple search heads do lookup tables need to be copied to all of them or does bundle replication take care of this?

Splunk Employee
Splunk Employee

My bad, I thought that you were asking for search-head to search-peer replication.

For search-head to search head, this is NOT automatic (they are not aware of the existence of each other).
and you need to configure : seach-head pooling
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Configuresearchheadpooling

0 Karma
Highlighted

Re: If you have multiple search heads do lookup tables need to be copied to all of them or does bundle replication take care of this?

Communicator

What is the difference between "search-head to search-peer" replication & "search-head to search head" replication.

We have also started using Search Head Pooling on a few of our other Search Heads, enabling this caused a performance hit, so we will be disabling soon.

0 Karma
Highlighted

Re: If you have multiple search heads do lookup tables need to be copied to all of them or does bundle replication take care of this?

Splunk Employee
Splunk Employee

Search-head to search-peer knowledge bundle replication exists by default.

Search-head to search-head knowledge bundle replication is not an existing feature. (the way to share knowledge by other ways, see search head pooling)

0 Karma