Splunk Search

Why other apps are calling a lookup that is not globally shared and causing errors?

jeremiahc4
Builder

I see a lot of questions asked here similar to this, and the answer is generally to make the lookup globally shared. I want to avoid this approach as the lookup is specific to this app and would render incorrect data in other apps if used there. Can someone help me understand why other apps are picking up this lookup and trying to run it?

The lookup is defined in $SPLUNK_HOME/etc/apps/myapp/local/props.conf

[source::*IISLogs*]
LOOKUP-application = myappmapping appContainer OUTPUT application

Of note, the lookup behaves perfectly when in the app. However, this weird error is being thrown in all other apps now.

Tags (1)

hexx
Splunk Employee
Splunk Employee

In all likelihood, you are exporting automatic lookups (and/or all props) defined in "myapp" to be system-wide in default.meta or local.meta.

You should make sure that these automatic lookups are kept within "myapp" and not exported system-wide.

You can do this by manually editing default.meta / local.meta or by editing the sharing mode of your automatic lookup in settings > lookups > automatic lookups > lookup_name to be "app only".

0 Karma

jeremiahc4
Builder

I did create it by a source, but I did so within the app. If that's the way it really works, then this sounds like a bug to me. I thought the app was the way to corral things together that belonged together. I guess I could look to try using host instead of source, but that's gonna get ugly methinks. Many of our hostnames are the same except for a number.

0 Karma

jeremiahc4
Builder

Not to dig up old stuff, but I am at a loss as to what changed since I posted this. I found that the automatic lookup was set to global and changed it to this app only and now it works fine within the app and doesn't throw errors in other apps. I know that I have not upgraded since my original post, so perhaps it was just an oversight on my behalf.

0 Karma

strive
Influencer

lguinn has mentioned this point "My guess is that you set up an automatic lookup for a source or sourcetype. Now Splunk wants to run the lookup even when you are working in a different App." here http://answers.splunk.com/answers/54059/second-indexersearchpeer-reports-the-lookup-table-lookup_tab...

Check if it is applicable

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...