Splunk Enterprise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to disable csv replication in the Search Head cluster.

arcdevil
Path Finder
‎02-03-2021 01:08 AM

Good afternoon, community.

There was a need to remove lookup files from replication between Search Heads (version 8.1.2).
Tried tweaking the server.conf file and setting the values:

conf_replication_include.lookups = false
conf_replication_summary.blacklist.lookups = (system | (apps / *) | users (/ _ reserved)? / * / *) / lookups / *

If the lookup file is created through the UI, it remains local, but unfortunately this does not help when using the outputlookup command and the file is distributed across the cluster.

Btool on search head:splunk btool --debug server list | grep lookupsplunk btool --debug server list | grep lookup

Search Head Clustering: Configuration Replication (when using the outputlookup command):Снимок экрана 2021-02-03 в 12.01.29.png

Perhaps you have any ideas where else to pay attention to completely close the possibility of replicating lookup files?

 

Labels (2)
Labels
Tags (1)
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎02-03-2021 11:30 AM

Hi @arcdevil,

You can blacklist your lookup files in distsearch.conf. A few samples are below.  

[replicationBlacklist]
all_lookups = apps/*/lookups/*
lookup_14csv = ...14.csv
samplelookup_14csv = apps/sample_app/lookups/14.csv

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Distsearchconf#REPLICATION_DENY_LIST_OPTIO...

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

arcdevil
Path Finder
‎02-04-2021 12:18 AM

Hello!

Thank you for your participation, but unfortunately I have already tried this option earlier 🙂
As I understand it, this setting works only when transferring a bundle from SHC to Indexer nodes.

distsearch.confdistsearch.conf

0 Karma
Reply

lakshman239
Influencer
‎05-18-2021 01:22 AM

I don't think there is an option in the inputlookup/outputlookup to exclude a lookup from replicating across the Search head cluster members. I believe this is by design, as you would want the lookup available across SHs. 

However, I understand the need for excluding a file/e.g. backup. Could be a good candidate for Splunk Ideas - https://docs.splunk.com/Documentation/Community/1.0/community/SplunkIdeas 

0 Karma
Reply
Get Updates on the Splunk Community!

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...
Top