@ankitarath2011 , 

Agreed, generally it is recommended to instead blacklist items in your search head apps that don't need to be sent to the indexers, as this will keep your bundle sizes down. A few additional suggestions:

• The Admins Little Helper for Splunk app can help identify bundle contents (and computed/expected contents)
• For more information about bundle size, refer to
  • https://docs.splunk.com/Documentation/Splunk/latest/Admin/Distsearchconf

maxBundleSize = <int>
* The maximum size (in MB) of the bundle for which replication can occur. If the bundle is larger than this bundle replication will not occur and an error message will be logged.
* Defaults to: 2048 (2GB)​

• and: Large lookup caused the bundle replication to fail. What are my options
• Alternatively, you may find large lookups and configure limits.conf accordingly:
  1. To find large lookup files check bundles on the indexer in $SPLUNK_HOME/var/run/searchpeers/.
  2. Copy one of the bundles from $SPLUNK_HOME/var/run/searchpeers/ over to a tmp dir and run:

tar xvf <file>.bundle
find -type f -exec du -h {} \; | grep .csv

• Set max_memtable_bytes larger than the largest lookup in limits.conf:

[lookup]
max_memtable_bytes = 2*<size of the largest lookup>

example:
On all indexers in limits.conf set:
(for unclustered indexers: $SPLUNK_HOME/etc/system/local/limits.conf; for clustered indexers, use the _cluster app on the Cluster Manager or if you distribute indexes.conf and other indexer settings in a custom app, place it in there)

[lookup]
max_memtable_bytes = 135000000
#equals to 135MB, where the largest lookup file was 120MB

Hi

here is link to old post for your replication issue https://community.splunk.com/t5/Splunk-Search/Large-lookup-caused-the-bundle-replication-to-fail-Wha... there are some more if you need.

Can you describe your SHC environment, so we can better understand your issue (OS, versions, size, apps, lookups etc.)?

r. Ismo