Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why other apps are calling a lookup that is not globally shared and causing errors?

jeremiahc4
Builder
‎08-01-2014 10:36 AM

I see a lot of questions asked here similar to this, and the answer is generally to make the lookup globally shared. I want to avoid this approach as the lookup is specific to this app and would render incorrect data in other apps if used there. Can someone help me understand why other apps are picking up this lookup and trying to run it?

The lookup is defined in $SPLUNK_HOME/etc/apps/myapp/local/props.conf

[source::*IISLogs*]
LOOKUP-application = myappmapping appContainer OUTPUT application

Of note, the lookup behaves perfectly when in the app. However, this weird error is being thrown in all other apps now.

Tags (1)
Reply

hexx
Splunk Employee
Splunk Employee
‎12-23-2014 01:48 PM

In all likelihood, you are exporting automatic lookups (and/or all props) defined in "myapp" to be system-wide in default.meta or local.meta.

You should make sure that these automatic lookups are kept within "myapp" and not exported system-wide.

You can do this by manually editing default.meta / local.meta or by editing the sharing mode of your automatic lookup in settings > lookups > automatic lookups > lookup_name to be "app only".

0 Karma
Reply

jeremiahc4
Builder
‎08-01-2014 12:40 PM

I did create it by a source, but I did so within the app. If that's the way it really works, then this sounds like a bug to me. I thought the app was the way to corral things together that belonged together. I guess I could look to try using host instead of source, but that's gonna get ugly methinks. Many of our hostnames are the same except for a number.

0 Karma
Reply

jeremiahc4
Builder
‎12-23-2014 11:57 AM

Not to dig up old stuff, but I am at a loss as to what changed since I posted this. I found that the automatic lookup was set to global and changed it to this app only and now it works fine within the app and doesn't throw errors in other apps. I know that I have not upgraded since my original post, so perhaps it was just an oversight on my behalf.

0 Karma
Reply

strive
Influencer
‎08-01-2014 11:12 AM

lguinn has mentioned this point "My guess is that you set up an automatic lookup for a source or sourcetype. Now Splunk wants to run the lookup even when you are working in a different App." here http://answers.splunk.com/answers/54059/second-indexersearchpeer-reports-the-lookup-table-lookup_tab...

Check if it is applicable

Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...