Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to disable csv replication in the Search Head cluster.

arcdevil
Path Finder
‎02-03-2021 01:08 AM

Good afternoon, community.

There was a need to remove lookup files from replication between Search Heads (version 8.1.2).
Tried tweaking the server.conf file and setting the values:

conf_replication_include.lookups = false
conf_replication_summary.blacklist.lookups = (system | (apps / *) | users (/ _ reserved)? / * / *) / lookups / *

If the lookup file is created through the UI, it remains local, but unfortunately this does not help when using the outputlookup command and the file is distributed across the cluster.

Btool on search head:splunk btool --debug server list | grep lookupsplunk btool --debug server list | grep lookup

Search Head Clustering: Configuration Replication (when using the outputlookup command):Снимок экрана 2021-02-03 в 12.01.29.png

Perhaps you have any ideas where else to pay attention to completely close the possibility of replicating lookup files?

 

Labels (2)
Labels
Tags (1)
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎02-03-2021 11:30 AM

Hi @arcdevil,

You can blacklist your lookup files in distsearch.conf. A few samples are below.  

[replicationBlacklist]
all_lookups = apps/*/lookups/*
lookup_14csv = ...14.csv
samplelookup_14csv = apps/sample_app/lookups/14.csv

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Distsearchconf#REPLICATION_DENY_LIST_OPTIO...

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

arcdevil
Path Finder
‎02-04-2021 12:18 AM

Hello!

Thank you for your participation, but unfortunately I have already tried this option earlier 🙂
As I understand it, this setting works only when transferring a bundle from SHC to Indexer nodes.

distsearch.confdistsearch.conf

0 Karma
Reply

lakshman239
Influencer
‎05-18-2021 01:22 AM

I don't think there is an option in the inputlookup/outputlookup to exclude a lookup from replicating across the Search head cluster members. I believe this is by design, as you would want the lookup available across SHs. 

However, I understand the need for excluding a file/e.g. backup. Could be a good candidate for Splunk Ideas - https://docs.splunk.com/Documentation/Community/1.0/community/SplunkIdeas 

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...