Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

when executing an external lookup, does splunk execute it on all nodes or just on the search head?

whisperstream
Explorer
‎07-31-2015 09:35 AM

I have a set of log data that contains user_ids, and want to do a lookup to resolve the user_id to an email address. I have an external look that can programmatically resolve each user's id, but am wondering (assuming I have a 4 node cluster) if splunk will execute 4 instances of the lookup script in parallel or if it only launches one (or if it's configurable?)

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-31-2015 10:04 AM

Normally, Splunk sends the lookup file from the Search Head in the bundle replication process to the Indexers and the lookups are done there. However, you can force the lookups to be done on the search head with the local=true:

Syntax: local=<bool>
Description: If local=true, forces the lookup to run on the search head and not on any remote peers.

Obviously, this can very drastically impact performance because some of the normally-reduced job may now have to be done on the Search Head.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-31-2015 10:04 AM

Normally, Splunk sends the lookup file from the Search Head in the bundle replication process to the Indexers and the lookups are done there. However, you can force the lookups to be done on the search head with the local=true:

Syntax: local=<bool>
Description: If local=true, forces the lookup to run on the search head and not on any remote peers.

Obviously, this can very drastically impact performance because some of the normally-reduced job may now have to be done on the Search Head.

0 Karma
Reply
Solved! Jump to solution

whisperstream
Explorer
‎07-31-2015 10:32 AM

Thanks for that "bundle replication" was the keyword I was looking for, for others interested I also found this link: http://docs.splunk.com/Documentation/Splunk/6.2.4/DistSearch/Mounttheknowledgebundle

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...