Deployment Architecture

Understanding distributed search replication blacklisting behaviour


I'm trying to understand what happens to distsearch when you black list something. For example a csv file.

I've been looking into what is the best methodology for stopping large csv files from being sent to indexers via bundle replication. We have noticed recently power users creating ever growing lookup files. These eventually result in field extraction issues as normal props/transforms don't get replicated in a timely fashion. As such we're looking to limit csv's in the bundle.

Blocking them is the easy part. ie distsearch.conf [replicationBlacklist]

My issue becomes what is the flow on effect of doing this? Indexers can no longer reference the lookup file in a search so what happened then? The indexer requires is for the search, it doesn't find it so it streams back all the results instead? Does the search just fail to return anything if it uses a inputlookup early in the search?

What is actually happening under the hood when you blacklist a lookup?

Splunk Employee
Splunk Employee
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...