Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What are the use cases where lookups are needed on the indexers/search-peers?

pradeepkumarg
Influencer
‎05-16-2016 10:45 AM

I want to blacklist all the lookups from the replication bundle and would like to understand what are some valid use cases where you may need the lookups in the bundle reaching to search peers.

Thanks in advance!
Pradeep

0 Karma
Reply

somesoni2
Revered Legend
‎05-17-2016 09:07 AM

i) The lookup is only needed on the Search Head when Lookup is done after aggregation. For example, in this scenario the lookup is only needed on the SH

index=foo | stats count by field1 | lookup somelookup field1 OUTPUT lookupfield

ii) Here's an example where the lookup is needed on the indexers (opposite of above scenario)

index=foo | lookup somelookup field1 OUTPUT lookupfield | stats count by lookupfield

iii) Lookup are used only for the Dashboard dropdown (selectiom), these lookup need not be send to the indexer.

iv) If the lookup is defined using props.conf (automatic lookups), these lookups are defined as Global and will be required on the indexers.

[my_lookuptype]
LOOKUP-foo = mylookuptable userid AS myuserid OUTPUT username AS myusername

Reply

pradeepkumarg
Influencer
‎05-19-2016 06:53 AM

@somesoni2 For the scenario 2, I've blacklisted a lookup in distserach.conf not to be in the part of bundle and I was still successfully able to run the search using lookup command without any issues.

We have had issues with users creating large lookups and subsequently increasing the bundle size greatly which resulted in bundle replication errors and causing job delays for the schedule searches. I still don't understand a valid reason why lookups are needed on the indexers in the bundle other than auto lookups.

0 Karma
Reply

pradeepkumarg
Influencer
‎05-17-2016 09:33 AM

Thanks for the response. For the second scenario, what if I use option local=true which forces to run on the search head ?

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...