I have 2 indexers and 1 search head.
i migrated from splunk 5 to 6 and had some difficulty with realtime alerts and ldap lookups. also moved from windows to linux.
anyway my work around was to dump the ldap data i was looking for into a kvstore (wanted to give it a try before failing back to csv lookup). i then wanted to setup a automatic lookup to have the searches always come back with the extra data from ldap i was looking for.
the kvstore setup on the search head was fine, but i cant seem to get it to replicate to the indexers (which seems to be necessary if you use the automatic lookups).
I tried to create the collection on all 3 servers, i tried to create the lookup table on all 3, i also manually enabled replication = true. none of these combinations seem to get the collection data on all the servers. can someone explain step by step ?
↧