Splunk automagically builds .tsidx indexes on Lookup files which are large.
This is triggered the 1st time someone performs a query on the large Lookup.
Some really large lookups (MB to GB) take some time to build the .tsidx so we schedule reports to run to force Splunk to build them in the early morning.
Here's the problem: in a distributed environment, that appears to only build the .tsidx files (or build them correctly) on one of the Search heads. I haven't done enough testing to prove if this behavior is "all the time" or "sometimes".
Is this a bug which I should report? Is this the expected behavior? I'm not sure what the expected behavior is for sharing the .tsidx files/indexes.
If it is expected behavior, is there a way to force the "prebuild" on each of the search heads?
Right now I'm remotely logging into each server, running splunk as localhost, and running the query which forces the .tsidx build. Not ideal.
I'm considering KVStore but the regular Lookup files appear to handle queries on "non-key" fields better. These Lookups have a variety of fields people may be interested in searching/looking-up on.
... View more