FAQ » History » Version 3
Luke Murphey, 04/26/2018 07:28 PM
| 1 | 1 | Luke Murphey | h1. FAQ |
|---|---|---|---|
| 2 | 1 | Luke Murphey | |
| 3 | 1 | Luke Murphey | h2. How do I audit changes to the lookup files? |
| 4 | 1 | Luke Murphey | |
| 5 | 1 | Luke Murphey | The lookup editor keeps a log that is indexed into the _internal index. You can view that logs like this: |
| 6 | 1 | Luke Murphey | |
| 7 | 1 | Luke Murphey | <pre> |
| 8 | 1 | Luke Murphey | index=_internal "Lookup edited successfully" | table _time user namespace lookup_file |
| 9 | 1 | Luke Murphey | </pre> |
| 10 | 2 | Luke Murphey | |
| 11 | 2 | Luke Murphey | h2. My lookup file cannot be opened, why not? |
| 12 | 2 | Luke Murphey | |
| 13 | 2 | Luke Murphey | Look into the logs to see if there is a reason given why the files are not loading: |
| 14 | 2 | Luke Murphey | |
| 15 | 2 | Luke Murphey | <pre> |
| 16 | 2 | Luke Murphey | index=_internal source=*lookup_editor_controller.log |
| 17 | 2 | Luke Murphey | </pre> |
| 18 | 3 | Luke Murphey | |
| 19 | 3 | Luke Murphey | h2. How do I enable replicating of the lookup file backups to other search heads when using a Search Head Cluster? |
| 20 | 3 | Luke Murphey | |
| 21 | 3 | Luke Murphey | You can enable replication of the lookup backups by using the REST replay feature. To enable this, add the following in restmap.conf (in $SPLUNK_HOME/etc/shcluster/lookup_editor/default/restmap.conf): |
| 22 | 3 | Luke Murphey | |
| 23 | 3 | Luke Murphey | <pre> |
| 24 | 3 | Luke Murphey | [global] |
| 25 | 3 | Luke Murphey | allowRestReplay = true |
| 26 | 3 | Luke Murphey | </pre> |
| 27 | 3 | Luke Murphey | |
| 28 | 3 | Luke Murphey | This will work on Splunk 6 from (6.3+) and on Splunk 7.1+. +*However, do not enable*+ this on Splunk 7.0 (7.0 to 7.0.3) because there is a bug in Splunk 7.0 that causes REST replay to crash splunkd. |