Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

when executing an external lookup, does splunk execute it on all nodes or just on the search head?

whisperstream
Explorer
‎07-31-2015 09:35 AM

I have a set of log data that contains user_ids, and want to do a lookup to resolve the user_id to an email address. I have an external look that can programmatically resolve each user's id, but am wondering (assuming I have a 4 node cluster) if splunk will execute 4 instances of the lookup script in parallel or if it only launches one (or if it's configurable?)

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-31-2015 10:04 AM

Normally, Splunk sends the lookup file from the Search Head in the bundle replication process to the Indexers and the lookups are done there. However, you can force the lookups to be done on the search head with the local=true:

Syntax: local=<bool>
Description: If local=true, forces the lookup to run on the search head and not on any remote peers.

Obviously, this can very drastically impact performance because some of the normally-reduced job may now have to be done on the Search Head.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎07-31-2015 10:04 AM

Normally, Splunk sends the lookup file from the Search Head in the bundle replication process to the Indexers and the lookups are done there. However, you can force the lookups to be done on the search head with the local=true:

Syntax: local=<bool>
Description: If local=true, forces the lookup to run on the search head and not on any remote peers.

Obviously, this can very drastically impact performance because some of the normally-reduced job may now have to be done on the Search Head.

0 Karma
Reply
Solved! Jump to solution

whisperstream
Explorer
‎07-31-2015 10:32 AM

Thanks for that "bundle replication" was the keyword I was looking for, for others interested I also found this link: http://docs.splunk.com/Documentation/Splunk/6.2.4/DistSearch/Mounttheknowledgebundle

0 Karma
Reply
Get Updates on the Splunk Community!

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...