On our Search Head Cluster, we have many home-grown apps with dozens of lookup files each. In some cases, the lookup files are generated with the outputlookup command. In other cases, these files are updated statically through an application release process to our Deployer.
There is an option `-preserve-lookups true` in the `splunk apply shcluster-bundle` command. This works well for the generated lookup files, but not for the externally updated files. Do we have to coordinate with the dozens of app teams to rsync their lookup file updates between SHC nodes?
More generally, are there "best practices" for managing multiple federated app development teams on a single search head cluster where updating from the Deployer and from the GUI are both desired?
↧