Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Understanding distributed search replication blacklisting behaviour

Lucas_K
Motivator
‎11-01-2015 04:06 PM

I'm trying to understand what happens to distsearch when you black list something. For example a csv file.

I've been looking into what is the best methodology for stopping large csv files from being sent to indexers via bundle replication. We have noticed recently power users creating ever growing lookup files. These eventually result in field extraction issues as normal props/transforms don't get replicated in a timely fashion. As such we're looking to limit csv's in the bundle.

Blocking them is the easy part. ie distsearch.conf [replicationBlacklist]

My issue becomes what is the flow on effect of doing this? Indexers can no longer reference the lookup file in a search so what happened then? The indexer requires is for the search, it doesn't find it so it streams back all the results instead? Does the search just fail to return anything if it uses a inputlookup early in the search?

What is actually happening under the hood when you blacklist a lookup?

Reply

bsriramineni_sp
Splunk Employee
Splunk Employee
‎09-27-2017 12:24 AM

Your question is answered in the below post.

https://answers.splunk.com/answers/302532/large-lookup-caused-the-bundle-replication-to-fail.html

Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...