I've been trying to find how to create automatic lookups on a distributed deployment.
I have a fairly large collection of normal search time lookups on my search head cluster, but when I try to make one work as an automatic lookup, I get errors saying the lookup table doesn't exist on the indexers involved (also clustered).
So, do I create the lookup table and transforms/props config on the cluster master and push to the indexers, or is there a way of telling the system to run that auto-lookup locally on the search heads? My google-fu doesn't seem to be good enough to filter out all the info regarding either (but not both of) automatic lookups or distributed deployments.
I'm doing the lookup as automatic as it seems the only way to do a cidr based lookup as per https://answers.splunk.com/answers/93620/lookup-with-cidr.html
Again, I could be wrong there.
:-)
↧