I have 2 indexers and 1 search head.
i migrated from splunk 5 to 6 and had some difficulty with realtime alerts and ldap lookups. also moved from windows to linux.
anyway my work around was to dump the ldap data i was looking for into a kvstore (wanted to give it a try before failing back to csv lookup). i then wanted to setup a automatic lookup to have the searches always come back with the extra data from ldap i was looking for.
the kvstore setup on the search head was fine, but i cant seem to get it to replicate to the indexers (which seems to be necessary if you use the automatic lookups).
I tried to create the collection on all 3 servers, i tried to create the lookup table on all 3, i also manually enabled replication = true. none of these combinations seem to get the collection data on all the servers. can someone explain step by step ?
yup, all 3 servers are on 6.3.1
fresh installs
Are you on V6.3? That is the first version that replicates KVStore lookups to indexers.
Either way, I would probably stick with the csv-based lookups.
has this been solved?
because i kind of have the same issue of replicating kv store.
no answer, i gave up. i will wait for the next few versions and hopefully its documented a little better also.