Splunk Search

Migrating/Copying lookup file from an existing Search head cluster to a new Search head Cluster (Enterprise Security)


We are trying to create a new Enterprise Security Search head cluster (with latest ES version ), Whats the best way to migrate/copy the lookup files from apps on an exisiting Search head cluster to the new Search head cluster on 7.3.0 version.

1) Copy over the lookups from existing Search head cluster members to the new deployer app's lookup directory and apply the shcluster-bundle ?
2) Stop all the new SHC members and scp the lookup files on to the SHs directly with out using deployer ?

Kindly advise the best possible method to achieve this.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...