Splunk Enterprise Security

ERROR ConfReplicationThread - Content Length too large , csv

Path Finder

After extensive "googling" I didnt come to a comfortable consensus on what my next move should be. I am having bundle replication errors on a shc member due to a csv that is too large.

File: /opt/splunk/etc/apps/SA-AccessProtection/lookups/access_tracker2

Message: Content-Length of 5299163460 too large (maximum is 5000000000)

Is there a way to limit the size that this file can get? I do not want to increase the limit as I think it is large enough.

This app is native to ES so shouldnt their be some kind of threshold already in place so the csv doesnt grow over a certain size?

Should I turn it into a KV store? If so, would I have to go through the app and make a lot of modification due to going to csv to kvstore?

I am hoping for some clarity on the next move.

Thanks in advance.