See the docs about preserving lookup files through deployment and upgrades :
Any app that uses lookup tables typically ships with stubs for the table files. Once the app is in use on the search head, the tables get populated as an effect of runtime processes, such as searches. When you later upgrade the app, by default the populated lookup tables get overwritten by the stub files from the latest version of the app, causing you to lose the data in the tables.
To avoid this problem, you can stipulate that the stub files in upgraded apps not overwrite any table files of the same name already on the cluster members. Run the splunk apply shcluster-bundle command on the deployer, setting the -preserve-lookups flag to "true":
splunk apply shcluster-bundle -target https://server:8089 -preserve-lookups true -auth admin:changeme
Note the following:
The default for -preserve-lookups is "false". In other words, by default, the populated lookup tables are overwritten on upgrade.
... View more