Splunk Enterprise

How to disable csv replication in the Search Head cluster.

arcdevil
Path Finder

Good afternoon, community.

There was a need to remove lookup files from replication between Search Heads (version 8.1.2).
Tried tweaking the server.conf file and setting the values:

conf_replication_include.lookups = false
conf_replication_summary.blacklist.lookups = (system | (apps / *) | users (/ _ reserved)? / * / *) / lookups / *

If the lookup file is created through the UI, it remains local, but unfortunately this does not help when using the outputlookup command and the file is distributed across the cluster.

Btool on search head:splunk btool --debug server list | grep lookupsplunk btool --debug server list | grep lookup

Search Head Clustering: Configuration Replication (when using the outputlookup command):Снимок экрана 2021-02-03 в 12.01.29.png

Perhaps you have any ideas where else to pay attention to completely close the possibility of replicating lookup files?

 

Labels (2)
Tags (1)
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @arcdevil,

You can blacklist your lookup files in distsearch.conf. A few samples are below.  

[replicationBlacklist]
all_lookups = apps/*/lookups/*
lookup_14csv = ...14.csv
samplelookup_14csv = apps/sample_app/lookups/14.csv

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Distsearchconf#REPLICATION_DENY_LIST_OPTIO...

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

arcdevil
Path Finder

Hello!

Thank you for your participation, but unfortunately I have already tried this option earlier 🙂
As I understand it, this setting works only when transferring a bundle from SHC to Indexer nodes.

distsearch.confdistsearch.conf

0 Karma

lakshman239
Influencer

I don't think there is an option in the inputlookup/outputlookup to exclude a lookup from replicating across the Search head cluster members. I believe this is by design, as you would want the lookup available across SHs. 

However, I understand the need for excluding a file/e.g. backup. Could be a good candidate for Splunk Ideas - https://docs.splunk.com/Documentation/Community/1.0/community/SplunkIdeas 

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...