Getting Data In

Why is My automatic lookup not working with Searchhead cluster?

aamer86
Path Finder

I have an indexing cluster and searchhead cluster. 
I want to use a csv threat feeds to add IP reputation field using automatic lookup 

I tried using all the online resources but It doesnt work 

 

anyone knows a limitation for doing the automatic lookup with SearchHead clustering 
I used the web based and the config files based option but didnt work 

I did the manual checks and all worked 

0 Karma
1 Solution

aamer86
Path Finder

thanks @Vasu I found the problem 

I had the Security essential App installed on all search heads which include a LOOKUP table named account_status_tracker which was being used as the default source for any lookup operation (could be a bug in this app for Splunk to check) 
Once I removed the security essentials app, it worked (not sure why. the lookup was going to this table )
error.jpg

View solution in original post

0 Karma

aamer86
Path Finder

thanks @Vasu I found the problem 

I had the Security essential App installed on all search heads which include a LOOKUP table named account_status_tracker which was being used as the default source for any lookup operation (could be a bug in this app for Splunk to check) 
Once I removed the security essentials app, it worked (not sure why. the lookup was going to this table )
error.jpg

0 Karma

VatsalJagani
Champion

Please verify:

* You need to make all these configurations from SHC UI or Deployer.

* Make sure you have automatic lookup definition in the same app as your lookup csv file.

* Your automatic lookup configuration is replicated to all the search heads correctly.

* By default all CSV lookups are replicated to indexers automatically, but if not you can set "replicate=true" parameter in transforms.conf entry with your lookup definition.

* Please make sure there is no warning/error in the search.log when you try to search that data from the Job Inspect.

0 Karma

aamer86
Path Finder

the automatic lookup (transforms.conf) file is not replicating from the deployer to the search heads

0 Karma

VatsalJagani
Champion

Have you executed the below command after making the changes?

splunk apply shcluster-bundle -target <URI>:<management_port>

 

If you are not much sure of the deployer and bundle push the command, please refer - https://docs.splunk.com/Documentation/Splunk/8.2.5/DistSearch/PropagateSHCconfigurationchanges 

0 Karma

aamer86
Path Finder

yes I did this 

0 Karma

VatsalJagani
Champion
Please make sure you have your config in the right directory in deployer. Also, make sure the file has no permission issue.
Please check Splunk's _internal log regarding this, if you see any WARN or ERROR.
0 Karma

aamer86
Path Finder

I tried it and it still not working 

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...