My question is the following, currently working in a cluster environment and these files for splunk are a problem so by sending them to the black list we prevent them from being stored in the indexers.
The question is this ... does anyone know what process or how splunk updates the information of these files in the search head, since these lookups are on a blacklist?
Be grateful for any information
Replicating lookup tables only on the search heads
There are situations in which you might not want to replicate lookup tables to the indexers. For example, if you are using the outputcsv or inputcsv commands, those commands always run on the search head. If you only want to replicate the lookup table on the search heads in a search head clustering setup, set replicate=false in the transforms.conf file.
Enable custom indexing
You can also improve lookup performance by configuring which fields are indexed by using the indexfieldslist setting in the transforms.conf file. The indexfieldslist is a list of all fields that need to be indexed for your static CSV lookup file.
Thanks for the reply
Regarding what I ask, do you know how the replication of these files that are not in the bundle works? I know that all the changes that are made will be synchronized in the search head and indexer (cluster), but what is the process that updates these files and allows the search headers to have the updated information?
@efaundez blacklisting the lookups in distsearch.conf only prevents the SH from replicating them to the search peers/indexers via the knowledge bundle. In essence, any modifications via search commands (e.g. outputlookup)/UI modifications should still be replicated/synced across the SH in a SHC setup.
Another way to sync lookup files between SHs in a cluster environment is through the Deployer (documented in the URL below), but any modifications to the lookups via a search command/UI will be overridden. Hence this method is not usually not preferred to sync lookups.
In regards to the process, on how lookups are synced across the SH(s). Each SH maintains a configuration baseline and if changes are made to a file, they are pushed to the other SHs and the baseline is then changed to the new/incremented one.
thanks for your answer
Currently for study purposes, we try to investigate the form or process that helps to synchronize the information in a cluster search head environment, for this case we know that the knowledge package is created in the captain (.blundle and .delta), replicating and synchronizing all the information in the cluster, but for this particular case, when sending information to the blacklist, what is the process called that helps to synchronize the information when it is not on the blacklist?
If it is not synchronized by the .bundle or .delta how are they updated?
PS: sorry if my question is not well formulated.
I have a new question, we know that lookups can work locally = true (only in the search head), as I avoid that despite entering them to the black list this message appears.
"message =" Error in 'lookup' command: Could not construct lookup 'local = t, "
What it means is that even if you enter it in the blacklist, if there is a configuration that modifies the lookups or is required in the indexers, this message will appear the same.
This topic is of real importance, avoid that the lookups go to the indexers and if I apply blacklist avoid that this message appears.