I was wondering if anyone else experienced an issue using the lookup tables in a distributed environment? I received an error indicating the indexers did not know about the lookup tables. I suspect the issue is with the large application name causing a problem with bundle replication.
I didn't spend to much time troubleshooting this. I just added a second app with a shorter name that included ONLY the lookup tables. It is now working fine for me. I am not looking for an answer, I was just hoping this may help someone else.
jhall0007- Thanks for mentioning this. This is a known problem and will be addressed. While placing the lookups in a new app works, the problem is that the app blacklists the sample lookups in distsearch.conf. However, it's overzealous and blacklists ALL the lookups. 🙂
Out of the box:
excludeSSE1 = ...Splunk_Security_Essentials_for_Ransomware/lookups...
excludeSSE2 = ...Splunk_Security_Essentials_for_Ransomware\lookups...
Fix:
excludeSSE1 = ...Splunk_Security_Essentials_for_Ransomware/lookups/UC...
excludeSSE2 = ...Splunk_Security_Essentials_for_Ransomware\lookups\UC..