Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why other apps are calling a lookup that is not globally shared and causing errors?

jeremiahc4
Builder
‎08-01-2014 10:36 AM

I see a lot of questions asked here similar to this, and the answer is generally to make the lookup globally shared. I want to avoid this approach as the lookup is specific to this app and would render incorrect data in other apps if used there. Can someone help me understand why other apps are picking up this lookup and trying to run it?

The lookup is defined in $SPLUNK_HOME/etc/apps/myapp/local/props.conf

[source::*IISLogs*]
LOOKUP-application = myappmapping appContainer OUTPUT application

Of note, the lookup behaves perfectly when in the app. However, this weird error is being thrown in all other apps now.

Tags (1)
Reply

hexx
Splunk Employee
Splunk Employee
‎12-23-2014 01:48 PM

In all likelihood, you are exporting automatic lookups (and/or all props) defined in "myapp" to be system-wide in default.meta or local.meta.

You should make sure that these automatic lookups are kept within "myapp" and not exported system-wide.

You can do this by manually editing default.meta / local.meta or by editing the sharing mode of your automatic lookup in settings > lookups > automatic lookups > lookup_name to be "app only".

0 Karma
Reply

jeremiahc4
Builder
‎08-01-2014 12:40 PM

I did create it by a source, but I did so within the app. If that's the way it really works, then this sounds like a bug to me. I thought the app was the way to corral things together that belonged together. I guess I could look to try using host instead of source, but that's gonna get ugly methinks. Many of our hostnames are the same except for a number.

0 Karma
Reply

jeremiahc4
Builder
‎12-23-2014 11:57 AM

Not to dig up old stuff, but I am at a loss as to what changed since I posted this. I found that the automatic lookup was set to global and changed it to this app only and now it works fine within the app and doesn't throw errors in other apps. I know that I have not upgraded since my original post, so perhaps it was just an oversight on my behalf.

0 Karma
Reply

strive
Influencer
‎08-01-2014 11:12 AM

lguinn has mentioned this point "My guess is that you set up an automatic lookup for a source or sourcetype. Now Splunk wants to run the lookup even when you are working in a different App." here http://answers.splunk.com/answers/54059/second-indexersearchpeer-reports-the-lookup-table-lookup_tab...

Check if it is applicable

Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...