Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Distributed Search Knowledge Bundle Regex

Splunker
Communicator
‎12-19-2011 03:51 AM

Folks,

I have a Splunk 4.2.4 search-head and indexer on another machine in a distributed setup.

I'm getting an error in my splunkd.log about my knowledge bundle timing out replicating from search-head to indexer.

I've tried the following in my distsearch.conf:

[replicationWhitelist]
allConf = *.conf
allSpec = *.spec

Based on the Splunk docs. Looking in $SPLUNK_HOME/var/run/searchpeers/(latest).bundle on the indexer i see all sorts of files in the tarball not just the ones i've allowed via my whitelist.

I've restarted both search-head & indexer and am not sure what to try next? Do i also need a global blacklist?

Thanks.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Splunker
Communicator
‎12-26-2011 01:59 AM

I managed to fix the above problem after realising the regex's need the full path to the offending large files.

*.conf seems to only match in the root-level directories ($SPLUNK_HOME/etc /users /etc/apps, etc..)

Something like (i had a large lookup list in my Google Maps and MAXMIND app (the geoip DB)):

[replicationBlacklist]
AppMapsCSV = maps/local/*.csv
AppMaxMindCSV = MAXMIND/local/*.csv

Did the trick, which significantly dropped my knowledge bundle size to something more manageable.

Hope it helps someone 🙂

View solution in original post

Reply
Solved! Jump to solution
Solution

Splunker
Communicator
‎12-26-2011 01:59 AM

I managed to fix the above problem after realising the regex's need the full path to the offending large files.

*.conf seems to only match in the root-level directories ($SPLUNK_HOME/etc /users /etc/apps, etc..)

Something like (i had a large lookup list in my Google Maps and MAXMIND app (the geoip DB)):

[replicationBlacklist]
AppMapsCSV = maps/local/*.csv
AppMaxMindCSV = MAXMIND/local/*.csv

Did the trick, which significantly dropped my knowledge bundle size to something more manageable.

Hope it helps someone 🙂

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Updates (ESCU) - New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 3 releases of new content via the Enterprise ...

Thought Leaders are Validating Your Hard Work and Training Rigor

As a Splunk enthusiast and member of the Splunk Community, you are one of thousands who recognize the value of ...

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...