Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

9.4.5: SearchHead Cluster csv notification!!!

verbal_666
Builder
Sunday

Hello.

Installed today a little environment with 3 SHs in Clustered ENV with a full clean 9.4.5 installation.

The first message, after configuring and starting the cluster is

sch_csv_replication.jpg

I have no csv in $SPLUNK_HOME/ exceeding the limit size (which is 5GB, in memory).

What is it?

Thanks.

0 Karma
Reply

PrewinThomas
Motivator
Sunday

@verbal_666 

If you’ve removed the file, redeploy the app bundle to the search head cluster and verify again.

index=_internal sourcetype=splunkd "quarantined lookup"

or run the same rest call


Alternatively, try adding at least a valid header row to the CSV, then push the bundle again and recheck.

If the message still appears, it may be a UI glitch or require some time to clear automatically.


Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply

verbal_666
Builder
yesterday

Query in splunkd gives no entries.

I tried,

1. edit the TEST.csv with lookup_editor, save... alarm still there!
2. delete TEST.csv... alarm still there!
3. remove the app from Deployer... alarm still there!
4. redeploy the app from Deployer... alarm still there!

It's quite misterious.

Rolled back to 9.3.6... no alarm! 😷

0 Karma
Reply

PrewinThomas
Motivator
yesterday

Thats interesting.
Looks like bug or UI glitch. Any possibility for you to test this on version 10.x?

0 Karma
Reply

verbal_666
Builder
yesterday

I'll try 👍

0 Karma
Reply

verbal_666
Builder
yesterday

Bah...... that's strange... i tried first to delete completely the Deployer "var", totally reinstall the 9.4.5 SH-Cluster, and the problem has gone 🙄 

It seems it was a first cluster notification that was stuck somewhere. I also deleted all the "var" from all SHC and relaunched the SHC bootstrap. Nothing happened.

Really do not know 😦

SPLUNK has some very strange behavious sometimes 🤔

0 Karma
Reply

burwell
SplunkTrust
SplunkTrust
Sunday

Looks like you can find the quarantined lookup files https://splunk.my.site.com/customer/s/article/Monitor-quarantined-lookup-files

 

 

Reply

verbal_666
Builder
Sunday

I searched yet the quarantined lookup...

| rest /services/replication/configuration/quarantined-assets splunk_server=local

Also the new query you linked gives the same csv...

nobody	my_web_app	TEST.csv	ae488df36e68414c86ef7d9c6f953fde8945cf92	[ {quarantined_at_host=https://centos:8089, quarantined_at=1761477321, lookup_size=0, quarantine_reason=lookup_size_unknown} ]	10/26/2025 12:15:21	0.00

1. "TEST.csv" is no longer present on the SH-Cluster, i deleted it 😶 alarm persists!!!
2. "TEST.csv" was anywhere 0 kb size, empty 🤔
3. IMO "quarantine_reason=lookup_size_unknown" is some case of bug!!!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...