Deployment Architecture

Understanding distributed search replication blacklisting behaviour


I'm trying to understand what happens to distsearch when you black list something. For example a csv file.

I've been looking into what is the best methodology for stopping large csv files from being sent to indexers via bundle replication. We have noticed recently power users creating ever growing lookup files. These eventually result in field extraction issues as normal props/transforms don't get replicated in a timely fashion. As such we're looking to limit csv's in the bundle.

Blocking them is the easy part. ie distsearch.conf [replicationBlacklist]

My issue becomes what is the flow on effect of doing this? Indexers can no longer reference the lookup file in a search so what happened then? The indexer requires is for the search, it doesn't find it so it streams back all the results instead? Does the search just fail to return anything if it uses a inputlookup early in the search?

What is actually happening under the hood when you blacklist a lookup?

Splunk Employee
Splunk Employee
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...