Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to disable csv replication in the Search Head cluster.

arcdevil
Path Finder
‎02-03-2021 01:08 AM

Good afternoon, community.

There was a need to remove lookup files from replication between Search Heads (version 8.1.2).
Tried tweaking the server.conf file and setting the values:

conf_replication_include.lookups = false
conf_replication_summary.blacklist.lookups = (system | (apps / *) | users (/ _ reserved)? / * / *) / lookups / *

If the lookup file is created through the UI, it remains local, but unfortunately this does not help when using the outputlookup command and the file is distributed across the cluster.

Btool on search head:splunk btool --debug server list | grep lookupsplunk btool --debug server list | grep lookup

Search Head Clustering: Configuration Replication (when using the outputlookup command):Снимок экрана 2021-02-03 в 12.01.29.png

Perhaps you have any ideas where else to pay attention to completely close the possibility of replicating lookup files?

 

Labels (2)
Labels
Tags (1)
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎02-03-2021 11:30 AM

Hi @arcdevil,

You can blacklist your lookup files in distsearch.conf. A few samples are below.  

[replicationBlacklist]
all_lookups = apps/*/lookups/*
lookup_14csv = ...14.csv
samplelookup_14csv = apps/sample_app/lookups/14.csv

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Distsearchconf#REPLICATION_DENY_LIST_OPTIO...

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

arcdevil
Path Finder
‎02-04-2021 12:18 AM

Hello!

Thank you for your participation, but unfortunately I have already tried this option earlier 🙂
As I understand it, this setting works only when transferring a bundle from SHC to Indexer nodes.

distsearch.confdistsearch.conf

0 Karma
Reply

lakshman239
Influencer
‎05-18-2021 01:22 AM

I don't think there is an option in the inputlookup/outputlookup to exclude a lookup from replicating across the Search head cluster members. I believe this is by design, as you would want the lookup available across SHs. 

However, I understand the need for excluding a file/e.g. backup. Could be a good candidate for Splunk Ideas - https://docs.splunk.com/Documentation/Community/1.0/community/SplunkIdeas 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...