Getting Data In

Fundamental issue with Splunk's architecture for overwriting other app's configuration

Path Finder

I don't understand why Splunk implemented a priority architecture which can overwrite another app's property. I wanted to blacklist each app's csvs and i used the Stanzas as below in distsearch.conf. To my suprise, one of the apps csvs were not blacklisted.

excludeLookup = apps/app1_kpi/lookups/*.csv

excludeLookup = apps/app2_kpi/lookups/*.csv

Both are global sharing. We changed the sharing but got same result.

Will Splunk change this architecture in future? This is very dangerous for managing. The app concept is fundamental violated.

0 Karma


To work around this, make sure the names are unique, like this:


App1_excludeLookup = apps/app1_kpi/lookups/*.csv


App2_excludeLookup = apps/app2_kpi/lookups/*.csv
0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes and swag!