Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

when executing an external lookup, does splunk execute it on all nodes or just on the search head?

whisperstream
Explorer
‎07-31-2015 09:35 AM

I have a set of log data that contains user_ids, and want to do a lookup to resolve the user_id to an email address. I have an external look that can programmatically resolve each user's id, but am wondering (assuming I have a 4 node cluster) if splunk will execute 4 instances of the lookup script in parallel or if it only launches one (or if it's configurable?)

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-31-2015 10:04 AM

Normally, Splunk sends the lookup file from the Search Head in the bundle replication process to the Indexers and the lookups are done there. However, you can force the lookups to be done on the search head with the local=true:

Syntax: local=<bool>
Description: If local=true, forces the lookup to run on the search head and not on any remote peers.

Obviously, this can very drastically impact performance because some of the normally-reduced job may now have to be done on the Search Head.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-31-2015 10:04 AM

Normally, Splunk sends the lookup file from the Search Head in the bundle replication process to the Indexers and the lookups are done there. However, you can force the lookups to be done on the search head with the local=true:

Syntax: local=<bool>
Description: If local=true, forces the lookup to run on the search head and not on any remote peers.

Obviously, this can very drastically impact performance because some of the normally-reduced job may now have to be done on the Search Head.

0 Karma
Reply
Solved! Jump to solution

whisperstream
Explorer
‎07-31-2015 10:32 AM

Thanks for that "bundle replication" was the keyword I was looking for, for others interested I also found this link: http://docs.splunk.com/Documentation/Splunk/6.2.4/DistSearch/Mounttheknowledgebundle

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...