Splunk Search

Is it possible to replicate bash script generated lookup across search head cluster?

milesmedboe
Explorer

Hi folks,

I am using a bash script to download data to populate a CSV that I'd like to use as a lookup in Splunk.

So far I have created the empty lookup on our deployer, which has successfully pushed it out to the search head cluster members.

I have a script running on the cluster-master that populates the empty lookup, the changes, however, are not replicating across the cluster, I expected this to work as the lookup location is whitelisted for replication in server.conf.

The changes to the CSV are failing to replicate across the cluster, do the changes to a lookup need to happen within Splunk for lookup replication to work?

An alternative solution would be to generate the script on the deployer and script a bundle push every 12 hours. I'm reluctant to have automated bundle pushes occurring outwith office hours due to issues we've experienced previously.

Has anyone ever attempted to do something similar, and is able to offer any guidance?

Many thanks,

Miles

0 Karma
1 Solution

milesmedboe
Explorer

Found a workaround here, implemented it and it is doing exactly what I wanted to do - https://medium.com/@clong/splunk-building-dynamic-lookup-tables-a593261569

Would be nice to see Splunk handling stuff like this better in future releases

View solution in original post

0 Karma

milesmedboe
Explorer

Found a workaround here, implemented it and it is doing exactly what I wanted to do - https://medium.com/@clong/splunk-building-dynamic-lookup-tables-a593261569

Would be nice to see Splunk handling stuff like this better in future releases

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...