Deployment Architecture

Understanding distributed search replication blacklisting behaviour

Lucas_K
Motivator

I'm trying to understand what happens to distsearch when you black list something. For example a csv file.

I've been looking into what is the best methodology for stopping large csv files from being sent to indexers via bundle replication. We have noticed recently power users creating ever growing lookup files. These eventually result in field extraction issues as normal props/transforms don't get replicated in a timely fashion. As such we're looking to limit csv's in the bundle.

Blocking them is the easy part. ie distsearch.conf [replicationBlacklist]

My issue becomes what is the flow on effect of doing this? Indexers can no longer reference the lookup file in a search so what happened then? The indexer requires is for the search, it doesn't find it so it streams back all the results instead? Does the search just fail to return anything if it uses a inputlookup early in the search?

What is actually happening under the hood when you blacklist a lookup?

bsriramineni_sp
Splunk Employee
Splunk Employee
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Laser Bananas and Edge Hubs: Exploring Operational Technology (OT) Data Through a ...

  OT is a different environment to traditional IT and can have interesting challenges when interfacing the ...

Event Series: Mastering AI Tokenomics and Splunk Agent Observability

Beyond the Black Box: Correlating AI Performance and Tokenomics with Splunk Agent Observability   As ...