- Splunk Answers
- :
- Splunk Premium Solutions
- :
- Security Premium Solutions
- :
- Splunk Enterprise Security
- :
- Why does adding head (1==1) fix this strange looku...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Both queries work on our non ES server; however, only the first query works on our ES server.
This query works in both places:
index=myIndexFile
| head (1==1)
| lookup myserverlist my_host
This query throws the following error on our ES server:
Streamed search execute failed because: "[IndexServerName] Error in 'lookup' command: Could not construct lookup 'myserverlist , my_host'. See search.log for more details.." I've looked at the search.log file and found nothing useful.
index=myIndexFile
| lookup myserverlist my_host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The lookup command is a distributable streaming command when local=false, which is the default setting. And distributable streaming command runs on indexer servers. So in your second query lookup is running on indexer server: [IndexServerName] and failing as it is not created there. You need to provide local=true in lookup command to run it on search heads.
index=myIndexFile
| lookup local=true myserverlist my_host
Why the first query works?
it is using head command which is a centralized streaming command which only runs on search heads. Before head command executed indexers send the results to the search head and all the next commands will be run on search head only. So in this case lookup will be run on search head so it works.
Check this link to understand this better: https://docs.splunk.com/Documentation/Splunk/8.0.2/Search/Writebettersearches#Parallel_processing_ex...
Check below links for more info:
https://docs.splunk.com/Documentation/Splunk/8.0.2/Search/Typesofcommands
https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Commandsbytype
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The lookup command is a distributable streaming command when local=false, which is the default setting. And distributable streaming command runs on indexer servers. So in your second query lookup is running on indexer server: [IndexServerName] and failing as it is not created there. You need to provide local=true in lookup command to run it on search heads.
index=myIndexFile
| lookup local=true myserverlist my_host
Why the first query works?
it is using head command which is a centralized streaming command which only runs on search heads. Before head command executed indexers send the results to the search head and all the next commands will be run on search head only. So in this case lookup will be run on search head so it works.
Check this link to understand this better: https://docs.splunk.com/Documentation/Splunk/8.0.2/Search/Writebettersearches#Parallel_processing_ex...
Check below links for more info:
https://docs.splunk.com/Documentation/Splunk/8.0.2/Search/Typesofcommands
https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Commandsbytype
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
