Solved: Searchhead cluster captain's /opt/splunk/var/run/f...

lim2 · ‎11-17-2022

Search head cluster captain's /opt/splunk/var/run/file.bundle still has the csv even though file was added in the /opt/splunk/etc/system/local/distsearch.conf's [replicationBlacklist].

$SPLUNK_HOME/bin/splunk btool distsearch list --debug

showing the csv file in the [replicationBlacklist] list but the csv file still in the latest bundle on the SH captain? Could this a bug for Splunk 8.2.4 (build 87e2dda940d1) when the number of entries in [replicationBlacklist] exceeds a number? in this case there are entries from blacklist_lookups_1 to blacklist_lookups_79.

Thanks in advance for inputs.

isoutamo · ‎11-17-2022

Hi

as you have a search head cluster, you should add a separate app on deployer where you define this value. Then just apply this bundle to shc. That way you have correct setting on all SHC nodes and captain will manage needed restarts.
r. Ismo

View solution in original post

isoutamo · ‎11-17-2022

Hi

as you have a search head cluster, you should add a separate app on deployer where you define this value. Then just apply this bundle to shc. That way you have correct setting on all SHC nodes and captain will manage needed restarts.
r. Ismo

richgalloway · ‎11-17-2022

Perhaps the replicationDenylist entry is incorrect. Would you please share it and the name of the CSV file?

---
If this reply helps you, Karma would be appreciated.

lim2 · ‎11-17-2022

Hi Rich,
in Splunk enterprise 8.2.4 it seems that one could still use (https://docs.splunk.com/Documentation/Splunk/8.2.4/DistSearch/Limittheknowledgebundlesize)
[replicationBlacklist]
blacklist_lookups_29 = apps/myapp/Monthly_Report_October.csv

Been looking at steps in https://community.splunk.com/t5/Splunk-Search/Large-lookup-caused-the-bundle-replication-to-fail-Wha... and https://community.splunk.com/t5/Splunk-Search/knowledge-bundle/m-p/510716#M177409

on the SH captain ran
tar -tvf /opt/splunk/var/run/78524745-C43A-45DC-8BFD-0B70A953F9C9-1668718172.bundle |sort -k 3 -rn|grep October.csv
still saw the following entry:
-rw------- splunk/splunk 123151739 2022-11-09 22:15 apps/myapp/lookups/Monthly_Report_October.csv
Strange right? Thanks.

richgalloway · ‎11-17-2022

I think you may have described the problem.

[replicationBlacklist]
blacklist_lookups_29 = apps/myapp/Monthly_Report_October.csv

tar -tvf /opt/splunk/var/run/78524745-C43A-45DC-8BFD-0B70A953F9C9-1668718172.bundle |sort -k 3 -rn|grep October.csv
still saw the following entry:
-rw------- splunk/splunk 123151739 2022-11-09 22:15 apps/myapp/lookups/Monthly_Report_October.csv

The blacklisted file path does not match that in the bundle.

Try

[replicationBlacklist]
blacklist_lookups_29 = apps/myapp/lookups/Monthly_Report_October.csv

---
If this reply helps you, Karma would be appreciated.

lim2 · ‎11-18-2022

Thanks for replies Rich. Double checked the path which I updated for this question and missed 1 section of the path. Issue got resolved. Bests.

Searchhead cluster captain's /opt/splunk/var/run/file.bundle still has the csv even though file was added in replicatio

search head clustering

Buttercup Games: Further Dashboarding Techniques (Part 7)

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Mastering Data Pipelines: Unlocking Value with Splunk