I have a lookup file in a particular app that I use to enrich data from a particular index. This file, lookup_file.csv for example, changes each month, so we make those changes as necessary and upload a new file via the GUI.
Recently, I noticed that the lookup command does not return all results in search; whereas the inputlookup command does. I know the two function differently and there could be a legitimate explanation (i.e. lookup could be looking at data in memory vs. on disk); however, I'm not sure how to force a fresh read of the file.
The file has changed over time to exceed the default 10MB max_memtable_bytes in limits.conf. I assume this means that the file will no longer be stored in memory, but rather indexed. However, I am not seeing the .index directory I would expect if that were the case. Additionally, I can substantially change the contents of the file (i.e. I removed 100k of the 116k rows) and still get the same results returned as before. Also, oddly enough, if I remove the file altogether, Splunk returns an error.
I assume all of this means that there is a reference stored in Splunk somewhere to old data and not refreshing when we make our changes. I'm not sure where that is or how I would refresh that reference. I have restarted splunkd AND rebooted the search head, assuming that the in-memory reference would refresh or the file would be indexed. Unfortunately, neither has happened. Any thoughts on what could be happening? Any references that may help me understand what's going on?
Lastly, if it's of consequence, the file is a lookup stored in the user_dashboards app ... on a SH cluster.
... View more