Splunk Search

Can automated lookups be defined on a search head but not pushed to search peers?

sspinner
Explorer

I have a 60MB lookup file on my ES search head that is only used for automated lookups against data indexed locally on the search head. To reduce the replication bundle size, I blacklisted this lookup file distsearch.conf, but now every search peer produces the error message:

"The lookup table 'tracked_vulns' does not exist. It is referenced by configuration 'x_vuln'."

where x_vuln is the sourcetype of the locally indexed records.

Since this sourcetype only exists locally on the search head, and the indexers do not need to use this lookup, is there a way to force the peers to ignore it?

0 Karma

woodcock
Esteemed Legend

You need to manually distribute (one time) the lookup file to each indexer and be sure it is in exactly the right place (mirroring the location on the search head) or you can give up on automatic and use local=true. Normally this would cause your search performance to suffer but it sounds like this will not happen in your case. If you go the latter route, you can wrap the manual lookup in a macro to make it a bit more "automaticish".

Description: If local=true , forces the lookup to run on the search head ...

sspinner
Explorer

The lookup table is updated nightly so one-time distribution doesn't really solve the problem, and I wanted to avoid having to include the lookup in my search string. I guess I'll have to submit this as a feature request.

Your suggestion to use a macro sounds like the best workaround. Thanks

0 Karma

woodcock
Esteemed Legend

Don't forget to click "Accept" to close the question.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...