Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

In a distributed search environment, where do my configurations go? The search head? The Indexers?

jrodman
Splunk Employee
Splunk Employee
‎03-11-2010 08:31 AM

If I have, say five, indexers, and a search head that points at them, where do my field extractions, tagging, lookups, and so on get stored? Do I have to manually distribute them to my indexing nodes? If the configuration is distributed automatically, when does it happen, and are there any exceptions? What about a conflict between settings on the different nodes?

Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-11-2010 02:49 PM

Search time configurations, including lookup tables, lookup scripts, and custom search commands, as well as field extractions, tags, event types, aliases, etc. go on the search head and the search head only. The Distributed Search mechanism will make sure the configuration items are sent to the indexers when a search is issued.

However, do note that lookup tables and lookup/search scripts must be in an app or system lookup or bin directories. Also any resources that scripts themselves may reference will only be copied to the indexers if they are files located inside of the bin or lookup other app folders, and that such references must be relative to the app or script base (and not absolute). (Other resources will only be available if you use some other method to get them the indexers and reference them accordingly in your scripts.) If you have scripts, you may rely on this mechanism to distribute the scripts, or you can look at the localop command and local option on the lookup search command.

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-11-2010 02:49 PM

Search time configurations, including lookup tables, lookup scripts, and custom search commands, as well as field extractions, tags, event types, aliases, etc. go on the search head and the search head only. The Distributed Search mechanism will make sure the configuration items are sent to the indexers when a search is issued.

However, do note that lookup tables and lookup/search scripts must be in an app or system lookup or bin directories. Also any resources that scripts themselves may reference will only be copied to the indexers if they are files located inside of the bin or lookup other app folders, and that such references must be relative to the app or script base (and not absolute). (Other resources will only be available if you use some other method to get them the indexers and reference them accordingly in your scripts.) If you have scripts, you may rely on this mechanism to distribute the scripts, or you can look at the localop command and local option on the lookup search command.

Reply
Solved! Jump to solution

gfriedmann
Communicator
‎06-24-2011 04:50 PM

I ran into inconsistent behavior with 4.2.2 when the indexers had an old copy of a lookup table defined and referenced. The search head had the updated copy. It was a bit of a pain to troubleshoot. The difference ended up becoming apparent if the lookup was applied after the main search results instead of fueling the main search itself.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎03-11-2010 09:40 PM

I have tested this, and the one from the search head is used. The search head sends over a bundle containing every single app, system and user config, and I believe that for purposes of executing a search from the search head, the splunk-search process loads that entire configuration.

0 Karma
Reply
Solved! Jump to solution

jrodman
Splunk Employee
Splunk Employee
‎03-11-2010 06:28 PM

Incidentally, a variety of things were not replicated to the search nodes correctly in versions of 4.0.x, for example lookup scripts didn't make it across until 4.0.7 or so.

Still wish i knew what happens in case of conflict. Search head says the transform uses REGEX1, the indexer says it uses REGEX2....

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...