This warning is present in the Job control drop-down on search heads:
The 'minemeldfeeds_lookup' KV Store lookup table is empty or has not yet been replicated to the search peer (path used is: /opt/splunk/var/run/searchpeers/...)
The error is cited for 3 of the 5 indexers in a cluster, and the search heads are in a cluster.
Is there a resolution appropriate for this version or a step we missed?
Splunk v 7.2.5.1
Palo Alto Networks Add-on for Splunk v 6.1.1
Splunk Enterprise Security is in use, and there is no other Palo Alto "app" in place. (From the installation guide: "The Add-on can be used with or without the App.")
The add-on is in place on the search heads, indexers, and heavy forwarders.
One of the previous answers mentioned setting replicate=true ...
From what I can tell, that was already set by default in this version of the add-on due to these two excerpts:
Splunk_TA_paloalto/default/transforms.conf
[minemeldfeeds_lookup]
external_type = kvstore
collection = minemeldfeeds
Splunk_TA_paloalto/default/collections.conf
[minemeldfeeds]
replicate = true
Unlike other posts on answers.splunk, we did not have an upgrade involved. That made most of the recommendations and previously accepted answers unhelpful.
The kvstore migrate command did not seem to apply to this scenario and version; nothing I found suggested there was a way to force the knowledge bundle from search head to indexers (if that is the issue)- similar to the sync command available for kvstore, and shcluster-replicated-config.
Any tips would be appreciated.
... View more