Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is a lookup working on one search head and not another?

DavisLee
New Member
‎03-11-2019 11:42 AM

How can I determine:

1) Why a Lookup is working on one search head but not on another?

2) How to get it to work on the second search head.

More detail:
I've been tasked with consolidating alerts on one search head. One of the alerts boils down to whether a macro containing the Lookup "thostinfo" works. I notice that on the SH it works, it is mentioned in "Searches, Reports, and Alerts"; on the SH where it doesn't it is not listed there.

I've found https://answers.splunk.com/answers/472888/splunk-app-for-windows-infrastructure-how-to-fix-t.html and wondered if the accepted answer would work. But I barely know enough to ask what questions I should be asking.

Many thanks.

Tags (2)
0 Karma
Reply

nickhills
Ultra Champion
‎03-12-2019 03:43 AM

Is it possible that on the server where:

it is mentioned in "Searches, Reports, and Alerts"
That the search in question is actually a "populating search" which writes data to the csv?

Have you tried to see if Splunk can display the contents of the file using |inputlookup mylookup.cvs
If so - are the results the same on both search heads?

If my comment helps, please give it a thumbs up!
0 Karma
Reply

somesoni2
SplunkTrust
SplunkTrust
‎03-11-2019 12:33 PM

Check if the lookup or lookup definition exists in other search head (whatever is used in that alert). If lookup exists, check the sharing permissions of the lookup is same or not on both search heads.

0 Karma
Reply

DavisLee
New Member
‎03-11-2019 12:44 PM

The Lookup Definitions exist on both search heads and the permissions are the same.

Thank you

0 Karma
Reply

lakshman239
SplunkTrust
SplunkTrust
‎03-12-2019 03:10 AM

Are they both in the same app or in different app in both search heads? Also, what's the permission of the app and lookup? is that global OR app specific? In both the search heads, are you able to run something like |inputlookup yourlookupname.csv

from the Search app?

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...