Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How are the lookups updated after entering them in a blacklist?

efaundez
Path Finder
‎07-18-2019 07:53 AM

good morning

    My question is the following, currently working in a cluster environment and these files for splunk are a problem so by sending them to the black list we prevent them from being stored in the indexers.

  The question is this ... does anyone know what process or how splunk updates the information of these files in the search head, since these lookups are on a blacklist?

Be grateful for any information

regards

0 Karma
Reply

rjteh_splunk
Splunk Employee
Splunk Employee
‎07-22-2019 12:17 AM

@efaundez blacklisting the lookups in distsearch.conf only prevents the SH from replicating them to the search peers/indexers via the knowledge bundle. In essence, any modifications via search commands (e.g. outputlookup)/UI modifications should still be replicated/synced across the SH in a SHC setup.

Another way to sync lookup files between SHs in a cluster environment is through the Deployer (documented in the URL below), but any modifications to the lookups via a search command/UI will be overridden. Hence this method is not usually not preferred to sync lookups.

https://docs.splunk.com/Documentation/Splunk/7.3.0/DistSearch/PropagateSHCconfigurationchanges#Prese...

In regards to the process, on how lookups are synced across the SH(s). Each SH maintains a configuration baseline and if changes are made to a file, they are pushed to the other SHs and the baseline is then changed to the new/incremented one.

0 Karma
Reply

anthonyconstant
Engager
‎05-22-2020 04:15 AM

Thanks for the perfect answer.

0 Karma
Reply

efaundez
Path Finder
‎07-22-2019 06:58 AM

thanks for your answer

 Currently for study purposes, we try to investigate the form or process that helps to synchronize the information in a cluster search head environment, for this case we know that the knowledge package is created in the captain (.blundle and .delta), replicating and synchronizing all the information in the cluster, but for this particular case, when sending information to the blacklist, what is the process called that helps to synchronize the information when it is not on the blacklist?

If it is not synchronized by the .bundle or .delta how are they updated?

PS: sorry if my question is not well formulated.

I have a new question, we know that lookups can work locally = true (only in the search head), as I avoid that despite entering them to the black list this message appears.

"message =" Error in 'lookup' command: Could not construct lookup 'local = t, "

What it means is that even if you enter it in the blacklist, if there is a configuration that modifies the lookups or is required in the indexers, this message will appear the same.

This topic is of real importance, avoid that the lookups go to the indexers and if I apply blacklist avoid that this message appears.

regards

0 Karma
Reply

HiroshiSatoh
Champion
‎07-18-2019 08:04 AM

Replicating lookup tables only on the search heads
There are situations in which you might not want to replicate lookup tables to the indexers. For example, if you are using the outputcsv or inputcsv commands, those commands always run on the search head. If you only want to replicate the lookup table on the search heads in a search head clustering setup, set replicate=false in the transforms.conf file.

Enable custom indexing
You can also improve lookup performance by configuring which fields are indexed by using the index_fields_list setting in the transforms.conf file. The index_fields_list is a list of all fields that need to be indexed for your static CSV lookup file.

Please read this
https://docs.splunk.com/Documentation/Splunk/7.3.0/Knowledge/ConfigureCSVlookups

0 Karma
Reply

efaundez
Path Finder
‎07-18-2019 08:18 AM

Thanks for the reply

   Regarding what I ask, do you know how the replication of these files that are not in the bundle works? I know that all the changes that are made will be synchronized in the search head and indexer (cluster), but what is the process that updates these files and allows the search headers to have the updated information?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...