Deployment Architecture
Highlighted

Why is my distsearch.conf replicationBlacklist configuration not being applied?

Builder

Hey everyone. Our search head pool is trying to push down a 900MB+ knowledge bundle, and we are trying to fix the issue. The main problem is the splunk for windows app - it has generated a file called windowsperfmondetails.csv which is about 890MB (we have several hundred windows boxes).

This obviously doesn't need to be replicated down.

I have created an app and placed it on all of our search heads, and restarted. In the app is a distsearch.conf file containing the following:

[replicationBlacklist]
winLookup = *windows_perfmon_details.csv

When I check with btool, I can see that the blacklist has been loaded under the replicationBlacklist stanza.

However, my bundles still seem to contain the offending file, so I keep getting:

Unable to distribute to peer named MYINDEXER at uri MYINDEXER:8089 because replication was unsuccessful. replicationStatus Failed

Is there an issue with my regex? Is there another step I am missing here?

Highlighted

Re: Why is my distsearch.conf replicationBlacklist configuration not being applied?

Path Finder

Did you find solution for your question?

0 Karma
Highlighted

Re: Why is my distsearch.conf replicationBlacklist configuration not being applied?

SplunkTrust
SplunkTrust

How many accounts do you have dmenon?

0 Karma
Highlighted

Re: Why is my distsearch.conf replicationBlacklist configuration not being applied?

SplunkTrust
SplunkTrust
 "*" doesn't recurse directories, you want "..." instead:


[replicationBlacklist]
 winLookup = ...windows_perfmon_details.csv

Not

 [replicationBlacklist]
 winLookup = *windows_perfmon_details.csv

View solution in original post

Highlighted

Re: Why is my distsearch.conf replicationBlacklist configuration not being applied?

Path Finder

like this:

[replicationBlacklist]
whatever = apps/app_name/lookups/file.csv
0 Karma
Highlighted

Re: Why is my distsearch.conf replicationBlacklist configuration not being applied?

SplunkTrust
SplunkTrust

i believe he wanted a wild card in there somewhere benic

0 Karma