All Apps and Add-ons

MS Windows AD Objects: Is it possible to safely blacklist the lookup files produced by the app on a Search Head in a distributed environment?

Splunk Employee
Splunk Employee

We use a Splunk Cloud environment. The MS Windows AD Objects app has produced several large AD.* CSV lookup files - 1.9GB, 62MB, 49MB, and 12MB. Replication to the indexing tier of the knowledge bundle does not succeed primarily because of the 1.9GB file. Rather than attempt to increase maxmemtablebytes and/or reducing the update times, can one safely blacklist the AD.* CSV lookup files in distsearch.conf? Not clear if any or all are needed by the indexing tier.

Thanks for any insight.

0 Karma
1 Solution

Splunk Employee
Splunk Employee

The lookup files do not need to be replicated to the indexing tier. I will update the app to ensure this is not attempted. For your cloud instance I would recommend to open a support ticket to Blacklist the AD*.csv Lookuos, since each application update requires vetting from our Cloud Support team.

Hopefully this answers your question.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

The lookup files do not need to be replicated to the indexing tier. I will update the app to ensure this is not attempted. For your cloud instance I would recommend to open a support ticket to Blacklist the AD*.csv Lookuos, since each application update requires vetting from our Cloud Support team.

Hopefully this answers your question.

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

Thank you - appreciate the quick and concise answer. Preventing the replication from occurring from within the app would be a welcome update; in the meantime we have already started the blacklisting process. Thanks again!

0 Karma