After extensive "googling" I didnt come to a comfortable consensus on what my next move should be. I am having bundle replication errors on a shc member due to a csv that is too large.
File: /opt/splunk/etc/apps/SA-AccessProtection/lookups/access_tracker2
Message: Content-Length of 5299163460 too large (maximum is 5000000000)
Is there a way to limit the size that this file can get? I do not want to increase the limit as I think it is large enough.
This app is native to ES so shouldnt their be some kind of threshold already in place so the csv doesnt grow over a certain size?
Should I turn it into a KV store? If so, would I have to go through the app and make a lot of modification due to going to csv to kvstore?
I am hoping for some clarity on the next move.
Thanks in advance.