Splunk Search

Is there a standard procedure for updating lookup files in a Search Head Cluster?

siva_cg
Path Finder

Hi All,

I have read many posts in regards to updating lookup files in a Search Head Cluster, but those are dated to 2017. I want to know whether we have any standard procedure now as I am looking for the same.

My scenario is as below:

I have a Search Head Cluster and some Indexers clustered running on 7.1.3 and have built some custom apps with application data and enriching with lookup files. In order for the reports be up-to-date, I want to update these lookup files (daily). As number of lookup files are more (around 10, being used in different reports), manual update using Lookup Editor is not a good choice (at least for me).

So, I thought of writing a script to copy the lookup files from source server and update in Splunk app via CLI on each Search Head Cluster member at same time to ensure all are in sync.

Will this procedure create any syncing issues or issues while deploying from Deployer? Please guide me. Thanks in advance.

0 Karma

muralikoppula
Communicator

Load the csv as a normal lookup. Then look at doing an inputlookup of your csv followed by an outlook up to the kvstore lookup. Co sided append=true on the outputlookup if you don't want to wipe out existing data.

https://github.com/georgestarcher/Splunk-createkvstore/blob/master/makekvstore.py

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...