Splunk Search

Lookup Works from Search Head, But Not From Indexer?

aferone
Builder

I am trying to run a search that populates a summary index using a lookup.

The lookup works just fine on the search head, but the summary index I am populating resides on the indexer. So I am trying to run the search, using the lookup, from the indexer. However, the indexer is not seeing the lookup. I get the following errors:

Error in 'lookup' command: The lookup table 'nameax' does not exist.
The search job has failed due to an error. You may be able view the job in the Job Inspector.

The permissions for both the file and the lookup definition are set to global. And I can't populate the summary index that resides on the indexer from the search head.

Any ideas?

Thanks!

0 Karma

woodcock
Esteemed Legend

OK, then either your permissions are wrong or your "scoping"; try adding this to your app's default/default.meta file:

# Application-level permissions
[]
access = read : [ admin ], write : [ admin ]
### LOOKUPS
[lookups]
export = system
0 Karma

aferone
Builder

Those are already set correctly.

0 Karma

woodcock
Esteemed Legend

Do not run your searches from the Indexer. If the indexer is a search peer (check "Settings" -> "Distributed Search" -> "Search Peers") then you will be able to access the SI data from your search head. This is the proper way to do it. The other way to do it is to copy your lookup Knowledge Objects (probably 3/lookup) to the Indexer. The way this works is that the KOs that exist on the Search Head (including your lookup KOs) which are relevant to your search are bundled up and replicated out to the Indexers who perform the searches ("bundle replication") so that the KOs do not need to be manually synchronized by you. Your problem is that you are doing your search in the wrong place (Indexer instead of Search Head).

aferone
Builder

I'm not quite following.

I normally do all searches from the search head. The reason I seem to not be able to this time is because I am trying to populate a summary index that exists on our indexer.

0 Karma

woodcock
Esteemed Legend

If you have to do this, then copy the KOs for your lookup from your Search Head to your Indexer. Go to "Settings" -> "All Configurations" and search for a lookup.conf, props.conf and transforms.conf entry (1 in each file) for your lookup and copy those to your Indexers. You can get away with just copying the lookup.conf KO but you will have to manually call the lookup in your search string (this is probably best).

0 Karma

aferone
Builder

It is just one lookup table. It's a csv. file. I set it up the exact same way on the search head as I did the indexer.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...